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“I’m concerned that companies will hear 
only the parts of the |O message that 
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they want to hear: 


What Keeps IT Pros Awake at Night? 


Microsoft Services Premier Ultimate announcement and Dynamic IT 


or the upcoming IT Pro Connections Conference (www_ 

.itproconnections.com), I’m preparing to chair a panel 

discussion about what keeps IT pros awake at night. 

Among all the possible sleep-stealing concerns, one 

theme keeps jumping out when I talk to Microsoft peo- 

ple: the Dynamic IT initiative, which is based on Infra- 
structure Optimization (the IO model). If you're frowning skeptically 
and wondering why I might think this topic would keep you awake 
when you have more immediate concerns, let me explain. 

The basic premise of Dynamic IT and the IO model is to decrease 
business costs by making IT more efficient: By optimizing comput- 
ing infrastructure, IT can progress from the Basic level to become 
Standardized, then Rationalized, and finally Dynamic. According to 
Microsoft, “With this strategy and assistance from an experienced 
Microsoft team, forward-thinking organizations are implementing 
tools and techniques that drive down costs and dial up efficiency. 
By standardizing, automating, and more tightly controlling the IT 
infrastructure they manage in this way, these organizations are find- 
ing they can save hundreds of dollars per desktop each year.” 

You might infer that I think you're spending sleepless nights wor- 
rying about how to implement the IO model in your company. You 
probably should be, but that’s not my point. 

Although Microsoft insists that Dynamic IT’s increased efficiency 
will “free up” IT pros to become more strategic, the concern is 
that most companies will consider those “freed-up” IT pros to be 
non-essential. Doubtless, some smart companies will embrace the 
idea of IT staff having time to think strategically and plan for future 
innovation—instead of barely having time to react to the latest crisis. 
However, what might wake you up at night is the idea that, especially 
in a slow economy, a lot of companies will take improved efficiency 
as a reason to cut costs further by eliminating IT positions. 


Premier Ultimate Support 

Let me give an example of how prevalent the IO model is within 
Microsoft. Not only are Microsoft developers building IO concepts 
into their products, but Dynamic IT is even making its way into 
Microsoft Support programs. 

I recently spoke with Charlie DeJong, general manager of 
Support and Health, in the Microsoft Services organization. We 
discussed Microsoft’s announcement of availability of Microsoft 
Services Premier Ultimate (see www.microsoft.com/services/ 


microsoftservices/srv_enterprise.mspx). According to Microsoft, 


www.windowsitpro.com 


We're in IT with You 


Premier Ultimate “builds on the current Premier Support family of 
offerings by combining unlimited problem resolution support with 
current Premier features such as proactive IT health assessments, 
account management (both onsite and dedicated) and onsite sup- 
port, twenty-four hours a day, seven days a week.” 

DeJong added, “With Ultimate, we are engaging with existing 
customers with whom we have history and knowledge of their envi- 
ronment. We’re assessing their incident history and pain points and 
IT plans, and collaboratively coming up with a roadmap for addi- 
tional preventative proactive services that they agree to consume 
over the course of a three-year contract.” 

So although this new offering isn’t for most customers, it does 
show how Microsoft is laying the groundwork for helping companies 
become more efficient. The IO model comes into play as a benefit to 
Microsoft, as well as to the customer. DeJong said, “The further we 
can move customers up the IO maturity model, the healthier they 
are, the happier they are. Studying customer data, we realized that 
the more proactive services a customer consumed, the healthier 
they got, the less reactive support they consumed. We recognized 
that’s good for our customers and good for Microsoft. About the 
same time, customers started realizing the same thing, and we 
started hearing that they wanted a different relationship with Micro- 
soft, where we were more focused on proactively moving ahead 
their IT agenda and increasing their IT uptime, and less focused on 
solving the problem du jour and less focused on managing hours 
that are consumed when reactive incidents arise.’ 


What Worries You? 


Like the IO initiative in general, such offerings as Premier Ultimate 
can reduce IT workload and help IT evolve to provide business lead- 
ership. When I think of IO and IT sleeplessness, I don’t believe you 
should become an insomniac, worrying over losing your job when 
IT becomes more effective. What concerns me is that companies will 
hear only the parts of the IO message that they want to hear. I’m los- 
ing sleep over how to demonstrate to business management that, by 
focusing on innovation instead of having to be reactive, IT can bring 
increased value to the bottom line. What do you think? 
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READER FEEDBACK ® 


System Partition 
or Boot Partition 


| read John Savill’s FAQ article“I want to 
enable BitLocker on a Windows Server 
2008 or Windows Vista system, but what if 
| didn’t create a separate system partition 
when | installed the OS?” (InstantDoc ID 
99659). When | was teaching a hardware 
course about 10 years ago, the terminol- 
ogy surrounding partitions always seemed 
backwards to my students. The system 
partition is the active partition holding the 
partition boot sector, which contains code 
that tells the boot process where to find 
the OS startup files (e.g., bootmgr). These 
files (on the system partition) point to the 
location of the OS files. The boot partition, 
however, is the partition that contains the 
OS files. In the FAQ article, Mr. Savill makes 
the huge 1.5GB drive the system parti- 
tion, and the other, typically rest-of-disk 
partition the boot partition. Why make the 
system partition so big? 
—Diana Dee 


| hope my terminol- 

ogy didn't cause too 
much confusion. The 
system partition is where 
bootmgr resides (with 
the boot configuration 
database), and the 

boot partition is where 
the Windows folder resides. | recommend 
making the system partition large to future- 
proof the partition in case you want to 
install the Windows Recovery Environment, 
which you wouldn't want on the encrypted 
boot partition. 


—John Savill 


Percentage of Windows IT Pro readers 
using Windows Server 2008, according 
to our March reader survey. 
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Winrs for Windows 2003 and 
Windows XP 
In Windows Power Tools, “Server Core from 
Afar” (August 2008, InstantDoc ID 97945), 
Mark Minasi states that XP doesn't offer 
Winrs, so you can't use Winrs (and WinRM) to 
remotely control Server Core. That's not true. 
The features aren't built in to XP, but you can 
read about and download WS-Management 
v1.1 (aka WinRM) from Microsoft Help and 
Support (support.microsoft.com/kb/936059). 
WS-Management v1.1 delivers WS-Manage- 
ment functionality on XP SP2 and Windows 
2003 SP1, SP2, and R2. 

—Aleksandar Nikolic 


Virtualization Shootout 

| have questions and comments about 
Michael Otey’s cover story, “Virtualization 
Shootout, Part 1” June 2008, InstantDoc 
ID 98879). The Microsoft product was still 
in beta when you tested it, and Microsoft 
has stated that it plans to use the remain- 
ing development time for bug fixing and 
improvements to the current features; it 
would add no features until after the first 
release. Does the current feature list have 
any shortcomings? 

From the VMware point of view, Micro- 
soft's Hyper-V shouldn't be compared with 
VMware ESX Server; rather, it should be 
compared with VMware Server, because both 
Hyper-V and VMware Server are deemed 
hosted virtualization solutions. At the price 
level, the comparison looks easy: VMware 
Server is free. However, there are additional 
features (e.g., Virtual Center management) 
that do cost money. How do you compare 
the products? 

—C. Beerse 


Microsoft officially released Hyper-V for Win- 
dows Server 2008 at the end of June 2008, and 
it’s a vastly improved product over Microsoft's 


older Virtual Server 2005 virtualization product. 
However, Hyper-V isn’t perfect. Some notable 
shortcomings include a limited management 
console, no ability to import VMware images, 
limited support for Linux distributions, and 
limited support for VMware Virtual SMP under 
Linux. 

| don’t agree that Hyper-V isn’t comparable 
to ESX Server; actually, Hyper-V is directly com- 
parable with ESX Server. Both are hypervisor- 
based solutions. Hyper-V isn't a hosted solution, 
such as VMware Server and Virtual Server 2005. 
Hyper-V is entirely superior to VMware Server. 
It provides vastly better performance and 
scalability. However, VMware Server (and ESX 
Server, for that matter) provide support for a 
much broader range of Linux distributions. 

—WMichael Otey 


64-Bit Speculation 
In his August 4 WinInfo Short Takes email 
newsletter (InstantDoc ID 99912), Paul Thur- 
rott mentions that sales of the 64-bit version 
of Windows are increasing. | submit that a lot 
of people are probably buying new 64-bit 
PCs without even knowing it! | was in Fry's 
last weekend, purchasing a new PC for my 
wife. The store had two HP models priced at 
$500. One offered specifications that were 
quite a bit nicer than the other, so | asked 
the salesperson to fetch me the nicer one. 
While he was gone, | scanned the descrip- 
tion and noticed that the nicer PC was 64-bit. 
This PC would be for my non-technical wife, 
and | didn’t want extra (i.e., 64-bit related) 
problems with printers, scanners, cameras, 
or software. So, | had the salesperson return 
the nicer one and fetch me the lesser one, 
a 32-bit system. Many customers wouldn't 
have been aware of the difference until they 
got home and found that their printer had 
stopped working. 

—kKen Spinks 

InstantDoc ID 100074, 
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Make Disaster Recovery a 
Priority 

Hear just one disaster-related horror 
story, and you'll understand the impor- 
tance of having a disaster-recovery 
plan for your Exchange organization. 
The response to most types of disas- 
ters will be the same—you need to 
understand the impact of a disaster on 
your facilities and the time required 
for full recovery, then plan accordingly. 
This eBook explains how to protect 
and secure data in the event of a disas- 
ter. Download “Data Protection and 
Disaster Recovery Tips” today. 


www.windowsitpro.com/go/eBook/CA/ 
DPandDR/?code=OctClTc 


Virtualization Management 
The challenges to managing mixed 
physical and virtual environments 
include a lack of IT agility and out- 
of-control server sprawl. In this web 
seminar, Michael Otey will discuss 
some of the driving forces behind 
server virtualization in the IT industry 
and the important business problems 
it can solve. 


www.windowsitpro.com/go/seminars/NetlQ/ 
Virtualization_Management/?partnerret=OctCITC 


Speed Deployment of Vista and 
Microsoft Office 

If you have Citrix products in your 
environment, you'll want to look at 
how Citrix XenApp can help with your 
Vista and Office 2007 deployments. 
Download this white paper and learn 
how to reduce compatibility issues and 
resource consumption, accelerate the 
migration process, and optimize end- 
user training schedules through the 
latest Citrix and Microsoft products. 


www.windowsitpro.com/go/wp/Citrix/ 
XenApp Vista/TcedesOctC G 
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You've Sat. 
You've Stayed. 


Now Seek! 


IT Job Hound helps 
you sniff out a new job 


or her birthday, I gave my sister 

a card embossed with golden 

print that reads “The economy 

stinks. Be happy you got this 

card.” Endearing sentiments 

aside, my gift choice tells you 
two things: first, America’s economy is so 
bad that even greeting cards are getting 
grumpy; second, my so-called sense of 
humor might cost me the affection of a fam- 
ily member. 

However disappointing the birthday 
gift (and my attempt at a joke) most likely 
was, the shiny message on it is 
accurate. And in this economy, 
which has forced companies 
to nudge—and sometimes 
shove—employees out of 
comfort zones and even 
jobs, I’ve noticed a change 
in attitude toward job hunt- 
ing and job hopping. Here 
in the United States (and 
even in countries with bet- 
ter economies), it seems that 
many employers are most inter- 
ested in applicants who have sev- 
eral different jobs under their belts. Today, 
changing jobs—or even pursuing a com- 
pletely new career—is not only accepted, it’s 
almost expected. And whether you want to 
simply compare your skills to the industry's 
preferences, secure a new position, or com- 
pletely change your job title, I’m here to tell 
you that, just like on Match.com, “It’s OK to 
look.” In fact, Windows IT Pro offers a free 
resource that even makes it easy to look: IT 
Job Hound. 


We're in IT with You 


Humphries 


The missing link to 


IT resources 


Get Online and Get More Content! 
Even though we can't fit it all into print, 


you can still get it all by registering 
online! We post new, free content every 
week at windowsitpro.com for regis- 
tered members. Just log on to access 
these free bonus articles! 

In September, a reader examined 
free AD cmdlets (InstantDoc ID 99929); 
Jan DeClercq answered questions 
Fl efelUimx-1avi(a=m (ole lelam-laqelelalme-lare| 
restricting read and write access with 
USB storage devices (InstantDoc ID 
99839); William Lefkovics shared expert 
tips about Outlook (InstantDoc ID 
boleheVer) r-Tale WaVl-lamsiu(ey-lalemiixcromdalcelerela 
the range of storage options available 
to businesses (InstantDoc ID 99920). 

If you're a VIP subscriber, you get 
even more solutions and tips. Check 
ColUl aay a=>-ancrare(-xoll o) (exe ir-lal [arie-lai4Dyeren |B) 
100048 for information about recent 

VIP-only content, and keep checking 
back to see what's new! 


IT Job Hound is an online job-search 
engine that concentrates on the IT industry, 
focusing on positions for developers, IT pros, 
designers, and those somewhere in between. 
Job seekers can find recently posted 
positions from top IT companies 
by searching the site or signing 

up for email job alerts—no 
registration required! 
You can upload your 
resume and choose to 

show your name and con- 
tact information only after an employer has 
expressed interest in you. Employers benefit 
from free, unlimited searches of the resume 
database and the connection to the IT indus- 
try’s most qualified candidates. 

Whether you're seeking a job or a job 
seeker, check out IT Job Hound at www 
.itjobhound.com, (If you’re looking for gift 
ideas, give my sister a call.) 
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RECOVER: Use DigiScope’s intuitive Outlook interface to 
restore information via drag-&-drop to a specific location 
or select SingleTouch™ recovery to automatically restore 
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Ascentium has the largest 
dedicated Microsoft Dynamics™ 
CRM consultancy in the world. 
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NEED TO KNOW 


“Microsoft customer research indicates that small busi- 
nesses care most about protecting their data. Midsized 
businesses have told Microsoft that their technology needs 
include getting their environments to a secure state and 


Thurrott 


keeping them there.’ 


Windows Small Business Server 2008 


n its continuing quest to serve small and midsized busi- 

nesses (SMBs), Microsoft is updating one server product 

and offering a new server product, both part of its new 

Essential Business Solutions product line. First up is the 

latest version of an old friend: Windows Small Business 

Server (SBS). SBS 2008 builds off the time-tested benefits 
of its predecessors while providing new functionality such as the 
ability to easily install the premium version of the product on two 
different physical servers. Here’s what you need to know about 
SBS 2008. 


The Market for SBS 

As was the case with the previous version of the product, SBS 2003 
R2, SBS 2008 is aimed at small businesses, which Microsoft defines as 
companies with 25 or fewer PCs and 1 to 49 employees. According to 
the software giant, there are 39 million such companies in the United 
States alone. 

In preparing this latest SBS version, Microsoft tookinto account its 
customer research, which indicates that small businesses care most 
about protecting their data and other assets and growing the com- 
pany. Small businesses need technology that provides protection from 
disaster and malicious attack; prevents accidental document dele- 
tions; offers quick access to business data; helps with finding more 
customers; increases productivity; and helps establish an image and 
online presence—and that technology must be simple and relevant 
to the business. Business applications are crucial, as is a relationship 
with a trusted technology advisor or consultant. 


The SBS Product Mix 

As with previous SBS versions, SBS 2008 is available in two product 
editions. SBS 2008 Standard Edition can be installed only on a single 
server and includes the 64-bit standard editions of Windows Server 
2008, Windows SharePoint Services 3.0, Exchange Server 2007, Fore- 
front Security for Exchange Server, Windows Live OneCare for Server, 
and integration with Microsoft Office Live Small Business. 

SBS 2008 Premium Edition includes everything in SBS 2008 Stan- 
dard, plus a second server running Server 2008 and SQL Server 2008 
Standard Edition. Interestingly, this second server can be configured 
with either the 32-bit or 64-bit versions of the products so customers 
can install the line of business (LOB) applications they need. The 
second server can also be used for such things as Terminal Services 
application sharing, Server 2008 Hyper-V virtualization, or as a sec- 
ondary domain controller (DC). 

Both editions include an integrated setup routine for the standard 
edition bits (the second server installation in the premium edition 
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isn’t integrated in the setup routine) and support up to 75 users or 
devices. Microsoft is introducing SBS 2008 Standard and Premium 
CALs with this product as well. 


What's New in SBS 2008? 


Also new to this product version is a dramatically enhanced admin- 
istrative console, monitoring and reporting capabilities that extend 
from the server to all connected clients, an automated domain name 
registration function that integrates nicely with the Office Live Small 
Business service, faster and block-based server backup, and a new 
extensibility model. Microsoft ISA Server has been replaced by a sim- 
pler Internet gateway device configuration utility. 

Initial deployment has been significantly streamlined, a process 
that will be appreciated by anyone who has installed previous SBS 
versions. Essentially, you deal with five screens in a simple wizard, and 
SBS 2008 should take about 30 minutes to install. (This is assuming 
you purchased an OEM server pre-installed with SBS 2008 and aren’t 
installing SBS 2008 by scratch from the DVD.) SBS 2008 will launch in 
early November 2008. 


Controversial New Pricing Model 

For the most part, SBS 2008 is a considerable improvement over what 
was an already well-regarded product. However, one aspect of this 
new version could prove controversial: Microsoft is changing the SBS 
pricing model from “lower server price, higher CAL price” to a model 
where the initial purchase price of the server is higher but CAL costs 
and requirements are lower. So the retail price of SBS 2008 Stan- 
dard is rising from $599 to $1,089. But Standard CALs cost less than 
before—$77 versus about $100—and you can buy them one at a time; 
with SBS 2003 and earlier, you were forced to buy CALs in five-packs. 
Microsoft says that as a result, the cost of SBS 2008 becomes lower than 
that of SBS 2003 when you cross the 20-user mark. 

Pricing for SBS 2008 Premium is similar. The upfront retail price 
rises from $1,299 to $1,899, and although the premium CAL is now 
$189, customers purchase it only for those users who need to access 
SQL Server. Remember, too, that SBS 2008 includes the “full” standard 
version of SQL Server 2008, whereas SBS 2003 includes SQL Server 
2005 Workgroup Edition. 


Recommendations 
SBS 2008 is a significant improvement over its predecessors, but the 
price might turn off businesses that fall below the 20-user mark. If 
that’s the case, evaluate whether the features and functionality in SBS 
2008 justify the upgrade. Otherwise, SBS 2008 is a no-brainer. 
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Windows Essential Business Server 2008 


indows Essential Busi- 
(EBS) 
2008 is a new entry in 


ness Server 


the Essential Business 
Solutions product line, 


and one that nicely fills 
the gap between Windows Small Business 
Server (SBS) 2008 and the enterprise-ori- 
ented standalone servers that the company 
also sells. EBS 2008 is based on the same 
Windows Server core as SBS 2008, and it 
uses a similar administrative console. It’s also 
quite a bit more complex, with a three-server 
installation requirement. Here’s what you 
need to know about EBS 2008. 


The Market for EBS 2008 

With EBS 2008, Microsoft is targeting the 
midsized business market: companies with 
25 to 500 PCs and 50 to 1,000 employees. This 
market sits firmly between the small business 
market and what Microsoft describes as the 
corporate market, the latter of which includes 
companies of 500 to 1,000 PCs and 1,000 to 
5,000 employees. 

According to Microsoft's research, IT in 
midsized businesses is managed by so-called 
IT generalists, the Jack-of-All-Trades of the 
administrative world who know a little about 
a broad range of topics and spend most of 
their time reacting to problems rather than 
proactively deploying technologies that make 
the most sense for their businesses. Midsized 
businesses have told Microsoft that their 
technology needs include getting their envi- 
ronments to a secure state and keeping them 
there, supporting desktop PCs and users, 
deploying the various machines and devices 
needed by the business, tracking IT assets, 
complying with specific industry regulations, 
and performing regular backups of PCs and 
of corporate data. As with small businesses, 
business applications are critical and spend- 
ing is tightly controlled. 


The EBS Product Mix 

EBS 2008 Standard Edition is a product suite 
that must be installed on three separate 
64-bit servers: a management server that 
includes the standard editions of Windows 
Server 2008 and Microsoft System Center 
Essentials 2007 (SCE 2007); a messaging 
server with Server 2008, Microsoft Exchange 
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Server 2007, and Microsoft Forefront Security 
for Exchange Server; and a security server 
with Server 2008, Exchange 2007 (Edge Ser- 
vices), and Forefront Threat Management 
Gateway for Medium Businesses. 

EBS 2008 Premium Edition takes the 
standard edition and adds a fourth database 
server that can be installed in 64-bit (x64) or 
32-bit versions. This server includes Server 
2008 and SQL Server 2008 Standard Edition. 
Both versions are served bya single CAL for all 
included products, an integrated setup rou- 
tine, and a centralized management console 
that serves as a front end to all of the installed 
products. 


What's in EBS 2008? 

Although EBS 2008 is obviously a new prod- 
uct, it also builds on the years of experience 
Microsoft has serving small businesses with 
SBS and larger businesses with its more tra- 
ditional standalone servers. As such, it estab- 
lishes an interesting computing environment 
that’s both seamlessly integrated and more 
complex than a single-server product. The 
new EBS administrative console is simple 
and similar to SBS but includes integrated 
license management that, in a nod toward 
the needs of midsized businesses, tracks a 
company’s technology assets. 

EBS 2008 also builds off the “green shield 
of health” model first employed by SBS 2003, 
providing a central location to track the 
health and security of your entire environ- 
ment. It essentially monitors hundreds of 
traditional Windows events, distills them into 
plain English workload indicators, and then 
prioritizes them so you can easily fix things 
that aren’t working properly. 

Just as important, the EBS console can 
be extended by third parties. Already a wide 
range of support has emerged, with compa- 
nies such as CA, FullArmor, HP, IBM, Intel, 
Mimosa, Quest Software, Symantec, Trend 
Micro, and others building add-ons in the 
areas of backup, antivirus, workflow, line-of- 
business (LOB) applications, and more. EBS 
add-ons are installed under the Business 
Applications tab in the administrative con- 
sole. 

Microsoft has also made deployment 
somewhat easier by building its best prac- 
tices guidance into both the online Help and 
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the setup routine to ensure that customers 
get up and running with EBS correctly. The 
company has condensed what it says would 
be 129 setup screens—if the individual prod- 
ucts were installed separately—to just 30 with 
EBS. That’s still quite a lot, and deploying 
an EBS setup in your environment—then 
migrating your existing data over to it—will 
likely be a daunting process for many. 

Also, it’s worth noting that Microsoft is 
now investigating best practices for install- 
ing EBS in a virtual environment such as 
Windows Server 2008 Hyper-V. At the time of 
this writing, that best-practices guide wasn’t 
available, but Microsoft claims the final EBS 
release will support virtual environments. 
EBS 2008 will launch alongside SBS 2008 in 
early November 2008. 


Pricing Model 

As with SBS 2008, EBS 2008 will come with 
separate standard and premium CALs that 
cover all of the products included in both 
editions. The retail cost of EBS 2008 Standard 
is $5,472, a savings of more than $2,000 over 
the cost of the individual products purchased 
separately. A standard edition CAL costs $81 
(compared with $112 for standalone CALs). 
On the premium edition side, the retail cost 
is $7,163, a savings of more than $3,000 over 
the cost of the individual products purchased 
separately. A premium edition CAL is $195 
(versus $274 for standalone CALs). 


Recommendations 
EBS 2008 is a complex and untested product, 
but given Microsoft’s successes with SBS 
2008, there's reason to be cautiously optimis- 
tic. That said, midsized businesses interested 
in EBS should be aware that this product 
doesn’t drop into an existing environment. 
Instead, it’s designed to replace what you're 
already using. And that’s OK ifyou make sure 
to plan for the potentially lengthy and com- 
plex process of migrating from your existing 
infrastructure to EBS. 
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WINDOWS POWER TOOLS 


“All versions of Windows Server 2008 


by enabling the firewall by default’ 


Minas! 


differ from their predecessors 


”" 


Putting the Finishing Touches on Server Core 


Set the time zone, configure the screen saver, and tweak the firewall 


he focus of my past few columns has been to show you 

howto get anew Windows Server 2008 Server Core system 

ready to do some work. To wrap up that focus, I want to 

provide a few short command-line tips—namelly, setting 

the system's time zone, configuring its screen saver, and 

tweaking its firewall. After those tasks are done, we'll have 
put the final polish on a ready-to-roll Server Core system. 


Tinkering with Time Zones 

You would think that setting a system’s time zone would be pretty 
simple—say, typing a number into the registry—but for some 
reason, time zones are tougher than that. So, Microsoft decided to 
simplify the graphical functionality of the Control Panel Date and 
Time applet so that it would work on Server Core. (Remember, 
Server Core isn’t completely GUI-less. Simple GUI-based apps such 
as Task Manager, Notepad, Regedit, and many setup programs work 
fine with Server Core’s limited interface.) 

To set a Server Core system’s time zone, just type the timedate 
.cpl command at the command prompt and tap Enter, and the 
applet will appear. (Another way to set the time zone on a Server 
Core system is to use a script to do the installation.) The only other 
Control Panel applet to find its way into Server Core is Regional and 
Language Options (intl.cpl). 


Setting the Screen Saver 

By default, Server Core engages its screen saver after 10 minutes of 
inactivity, locking the screen until you log on again. While testing my 
Server Core system, I found this behavior irritating, so one of my favor- 
ite setup tasks is to open Regedit, navigate to HKEY_ CURRENT_USER\ 
Control Panel\Desktop, and adjust the ScreenSaverlsSecure subkey’s 
value from 1 to 0, which removes password protection from the screen 
saver. You wouldn’t want to do that on a production machine, of 
course, but it might save your sanity on test systems. 

You can also access the ScreenSaveTimeOut subkey to specify how 
many seconds of inactivity to wait before screen-saver activation, the 
ScreenSaveActive subkey to enable or disable the screen saver, and the 
SCRNSAVE.EXE subkey to identify which screen saver you want to use. 
Server Core offers only the standard logon.scr option (i-e., the Windows 
logo) or the scrnsave.scr option (i-e., a blank screen). In my tests, new 
ScreenSaverlsSecure, ScreenSaveActive, and SCRNSAVE.EXE values 
take effect immediately, but changing the ScreenSaveTimeOut value 
requires a logoff/logon. 
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Fine-Tuning the Firewall 

All versions of Server 2008 differ from their predecessors by enabling 
their firewall by default. You can open Server Core’s firewall through 
Group Policy (i.e., Computer Configuration, Administrative Tem- 
plates, Network, Network Connections, Windows Firewall). Then, in 
either the Domain Profile or Standard Profile folder, set the Windows 
Firewall: Protect All Network Connections value to Disabled. 

You can also use the command line to disable the firewall: 


netsh firewall set opmode disable 


To re-enable the firewall, just replace disable with enable. Ifyou don’t 
know the firewall’s state, just type 


netsh firewall show state 


This command produces about a dozen lines of fairly confusing 
output. Look for the line that begins with Operational Mode =; the 
presence of Enable or Disable will answer the question. 

[like the idea of raising the Server Core firewall—after all, security is 
one of its selling points—but I typically open my firewalls just enough 
to let the system respond to pings. You can set your Server Core fire- 
walls to allow the system to respond to pings by using the command 


netsh firewall set icmpsetting 8 enable 


In general, you won’t have to open ports in your firewall because 
Ocsetup automatically opens whatever ports a server module needs 
when you install that module. For example, installing the DNS 
Server service opens port 53 without any further work on your part. 
But if you did need to open a port, you'd type 


netsh firewall set portopening tcp|udp <portnumber label> 


To tell the system that you’ve enabled Remote Desktop through the 
registry (which doesn’t open the RDP port by default), type 


netsh firewall set portopening tcp 3389 "Remote Desktop" 


Ready to Roll 
With these final tinkerings done, you're ready to put your Server Core 
box to work as a DHCP server. Tune in next month for that! 
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everything can be serious.” 


YouTube Tech Videos 


Your boss can’t fault you for watching these instructional clips 


elieve it or not, YouTube isn’t just a site full of Ameri- 

ca’s funniest home videos and shaky, bootleg concert 

clips. YouTube actually has many IT technology 

videos as well. Here are 10 of my favorite technical 

videos from YouTube. Now, the next time your boss 

catches you on YouTube, you can legitimately claim 

that you were researching a tech problem or learning about some 

new technology. 

Virtualization ... What’s the Big Deal?—In this video, Dell’s 

® CTO, Kevin Kettler, presents a 10-minute tutorial covering 

the basics of virtualization. Kettler explains the difference 

between hosted virtualization and hypervisor-based virtualization, 

and also discusses some of the management concerns about using 

this hot technology. You can view this video at www.youtube.com/ 
watch?v=nDiM19KShAA. 


VMware Virtualization—In this short video from Dell and EMC, 
you can learn about the University of Maryland's virtualization 
deployment using VMware’s ESX Server as the virtualization 
platform running on Dell and EMC hardware. Watch the VMware 


Virtualization video at www.youtube.com/watch?v=Pg2sRV5ay08. 


Installing MOSS—If you're interested in Microsoft Office 

SharePoint Server (MOSS) 2007, you might want to check out 

this video from the Baltimore SharePoint Users Group. It tells 
you about MOSS setup requirements, then steps you through the 
initial setup of MOSS. You'll find this video at www.youtube.com/ 
watch?v=5hsMrdalo4w. 


Windows 2008 Server Core Configuration Part 1—Server 
Core is another hot topic for IT Pros. In this video, John Savill 
walks you through the commands that are typically required to 

set up Server Core. As a bonus, you'll see how to install the update for 
Hyper-V support on the command-line based Server Core. You can 


view this video at www.youtube.com/watch?v=XSgtqweojTY. 


Microsoft Exchange Server 2007 Storage Options—DAS or 

SAN—In this 6-minute video, EMC’s Brian Henderson compares 

the management and performance aspects of using Exchange 
2007 with DAS versus with a SAN. You can see this video at www. 
.youtube.com/watch?v=WI11Pnu7fFVA. 
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“This column is about YouTube, so not 


WB Did You Know? 


Windows IT Pro recently launched 
a video site for IT pro training clips, 
troubleshooting tips, and analysis; 
check it out at www. ittv.net. 


TechEd 2008: Demon- 
stration of SQL Server 
2008—In this 6-minute 
video, David Campbell, a Micro- 
soft Technical Fellow, shows off 
the new SQL Server Data Ser- 
vices and Microsoft's new Sync Service that synchronizes SQL Server 
2008 data with mobile devices. You can see this video atwww.youtube 


.com/watch?v=gfZEZTiGNIc. 


Windows Server 2008 Hyper-V Demo on Quad-Core Intel 
Xeon—If you're interested in what Hyper-V looks like, you 
might want to watch this 4-minute video from Intel made at 
this year’s Microsoft Management Summit. This video demonstrates 
Microsoft's new Hyper-V virtualization product and provides an 
overview of some of the most important Hyper-V features. You'll find 


this video at www.youtube.com/watch?v=2y4lpaSyWMc. 


Dell VMware VMotion Demo—VMware’s VMotion technol- 
ogy can move live virtual machines (VMs) between differ- 
ent host servers. Sound interesting? Then you might want 
to check out this Dell VMotion demo. This 4-minute video shows 
how VMotion can be used to move a VM to a new ESX Server 
host with no downtime. Check this one out at www.youtube.com/ 


watch?v=E_TtHAgRy_s. 


Steve Ballmer—Developers—This column is about You- 
Tube, so not everything can be serious. If you’ve ever won- 
dered how the phrase “Developers! Developers! Developers!” 
got associated with Microsoft’s Steve Ballmar, look no further than 


this entertaining clip: www.youtube.com/watch?v=8To-6VIJZRE. 


TechEd 2008: Ballmer Bot takes the stage with Bill Gates— 
While on the topic of Steve Ballmer: Even though he wasn’t 
at this year’s Microsoft TechEd in Orlando, that doesn’t mean 
he didn’t have a presence there. One of the high points of this year’s 
TechEd was the Ballmer Bot, which you can check out at www 


-youtube.com/watch?v=JHtFu-uE5Uk. 
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The Smart-UPS* closet solution: 
managed, secured, cooled. 


Need to get out of the closet — but still keep an eye on your network? 
Bet you never thought you’d end up with so many closets to look 
after. And, as they've grown in numbers, they've also grown in 
complexity, adding to the risk — and the high cost — of downtime. 


The availability of those closets is critical, but whether your network 
is converged, in multiple locations, or housed out of sight and out 
of mind, you can't be in ten places at once, making sure they're all 
secure and running smoothly. 


Fortunately, APC has engineered an integrated solution that starts 
with new Smart-UPS XL — the Smart-UPS you already know and 
trust, made even smarter with integrated management and security- 
enabled features. Your view into the network closet has never been 
clearer, with automatic alerts of power events, security threats, or 
thermal incidents that put your critical availability at risk. 


If you're converging your network or just need an extra pair of 
eyes, start with APC Smart-UPS XL: the foundation for highly 
available, secure, cooled, managed networks. 


UPS solutions start at $1125 


Now 


with pre-installed 
network management” 


stfeetdes 
cisco. 


[compat 


APC’s Smart-UPS and Symmetra 
lines are certified Cisco Compatible, 
integrate with Cisco CallManager 
version 4.x and Cisco Unity Express and 
provide graceful unattended shutdown in 
the event of an extended power outage. 


Smart-UPS’ XL 
NEW! APC Smart-UPS XL Modular 
3000VA 120V Rackmount/Tower 


Compatibility certifications with the industry’ top 
IP Telephony Vendors: Cisco, Avaya, and Nortel 


Find APC power protection products at: cow) 


Rackmount - a $779 Value! 


Visit www.apc.com/promo and enter key code d927w « Call 888-289-APCC x8028 © Fax 401-788-2797 


Network management enabled UPS 


Smart-UPS XL starts at $1125 
Performance power protection with runtime 

for servers, and voice and data networks. 

e Included PowerChute’ management software 

e Intelligent battery management 

¢ Hot-swappable batteries, scalable runtime 

e Modular: tower or rack mount, hardware included 


Management upgrades 


PowerChute* Business Edition 

Reliable network-based shutdown of multiple servers. 
Included with Smart-UPS. Upgrades 
available starting at $279 

e Application shutdown support 
Battery capacity indicator 

e-mail notification 


InfraStruXure’ Central 
Provides an efficient way for organizations to manage 
their company-wide physical infrastructure devices. 


Real-time device monitoring = 
Security 


Custom reporting capabilities 
e Advanced security 

NetBotz Security and Environmental starts at $889 
Protecting IT assets from physical and environmental threats. 


e /nstant event notification 
e Visual monitoring of all activities in 

the data center or wiring closet 
e Third-party monitoring via dry-contacts, 

SNMP. IPMI, 0-5V and 4-20mA 
¢User-configurable alarm and escalation policies 
¢ Temperature, humidity, and leak detection 


Cooling 


Wiring Closet Ventilation Unit 
starts at $869 

(Up to 3kW of heat removal) Rapidly deployable wall or 
ceiling-mounted heat removal system for wiring closets. 
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InfraStruXure’ InRow SC starts at $7200 
(Up to 7kW) Rapidly deployable, in-row air 
conditioning for server rooms and wiring closets. 
Fliminates hot air mixing, maximizes cooling efficiency 
e Network manageable 

Real-time capacity monitoring 

e Modular; scalable 


Register to WIN a Smart-UPS” XL 1400VA Arc 


by Schneider Electric 
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Morales 


resolving tech support issues.” 


WHAT WOULD MICROSOFT 


SUPPORT DO? 


“I'll show you how to use Microsoft tools 
that I’ve found especially helpful for 


Resolve Memory Leaks Faster 
Run the UMDH tool to get key problem-solving data and cut support-call time 


f you manage a Windows environment, you know that a 

call to tech support is an inevitable part of your job. But 

there are things you can do to help resolve support issues 

faster—and perhaps avoid the dreaded support call entirely. 

In nine years as an escalation engineer for Microsoft’s Global 

Escalation Services support team, I’ve found a number of 
Microsoft tools especially helpful for resolving tech support issues. In 
this new column, What Would Microsoft Support Do?, I'll show you 
how you can use these tools to obtain valuable information that will 
help you either facilitate your tech support call or research your own 
solution. We'll start our exploration of Microsoft’s troubleshooting 
tools by walking through using the user-mode dump heap (UMDH) 
tool to identify and solve a memory-leak problem. 


Troubleshooting a Memory Leak 
UMDH (umdh.exe) is part of the Debugging Tools for Windows, 


which you can download at_www.microsoft.com/whdc/devtools/ 


debugging/installx86.mspx#a. UMDH aids in troubleshooting 
process memory leaks by revealing the components responsible 
for allocating the most memory. You can use UMDH with Windows 
Server 2008, Windows Server 2003, Windows 2000 Server, Windows 
Vista, and Windows XP systems. 

I recently used UMDH to solve a customer’s memory-leak 
problem. The customer's Performance Monitor logs indicated that 
the svchost.exe process was leaking enough memory to cause the 
entire system to crawl. However, the information didn’t pinpoint 
what components were involved in the leak or the functions those 
components executed—information that UMDH could provide. 


UMDH Steps 


Using UMDH to troubleshoot a memory leak involves a sequence of 
straightforward steps. Here’s the process: 

1. Use the gflags.exe tool to enable the registry setting Create user 
mode stack trace database. This setting lets the system store the pro- 
cess’s function calls and module listing in a database during execution; 
UMDH then dumps the database into an output file. Gflags is in- 
stalled when you install the Debugging Tools for Windows. This sam- 
ple gflags.exe command enables a setting for the notepad.exe process: 


gflags.exe -i notepad.exe +ust 


The command sets a registry value that’s read by the system during 
process startup and lets the system keep track of the threads that 
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allocate memory inside the process. After running gflags.exe to 
enable the setting, you'll need to restart the process before you can 
perform step 3. Also, remember to turn off the setting after you've 
completed the necessary tracing for a leaking process. The follow- 
ing command disables gflags.exe for the notepad.exe process: 


gflags.exe -i notepad -ust 


2. Set up the Microsoft symbol path to point to the Internet for 
symbols. Enabling symbols lets UMDH output the process trace 
information in a readable format. Without symbols, each line in 
the trace output will show the word “module” instead of an actual 
.dil name and numbers instead of the function name (more about 
the trace output shortly). 

To enable symbols, right-click My Computer, click Properties 
and the Advanced Tab, then click the Environment Variables but- 
ton. Under System Variables, click the New button, and in the Vari- 
able name box, enter 


_NT_SYMBOL_PATH 


In the Variable value box, enter the symbol path srv*c:\symbols* 
http://msdl.microsoft.com/download/symbols. UMDH will use 
the symbol path to display the components responsible for leak- 
ing memory. (This symbol path is valid for Server 2008, Windows 
2003, Win2K, Vista, and XP.) 

3. Now you can take your first UMDH snapshot. To do so, from 
the command line, navigate to the location where you've installed 
the debugging tools. Then enter a command like this: 


C:\debug>umdh -p:268 -f:Notepad1.txt 


(Here, I installed the tools in the C:\debug directory.) The -p: is 
the process ID of the leaking process (which you can obtain from 
Performance Monitor or Task Manager), and the -f: is the name 
you've chosen for the first snapshot file. 

4, Allow enough time between the first and second snapshots 
to ensure that the process leaks memory. While you're waiting 
between snapshots, you can use Performance Monitor to see how 
much memory is being leaked. 

5. Take your second snapshot, for example 


C:\debug>umdh -p:26% -f:Notepad2.txt 
6. Now compare the two snapshots, by running a command 


like this: 
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C:\debug>umdh -v Notepad. txt 
Notepad2.txt >c:\comparefiles.txt 


The -v parameter tells UMDH to include 
in its output summary information that 
describes how much memory each thread 
has consumed between the first and 
second snapshots (more about threads 
shortly). You need to specify a file to con- 
tain the output for the snapshot compari- 
son; here, the filename is comparefiles.txt. 


The previous command’s output lists the 
components and function calls that allo- 
cated the most memory within the process. 
Having this detailed information about the 
process will make the problem easier for 
tech support to pinpoint and resolve— 
or will give your systems administrator 
adequately specific information to research 
the problem further and possibly update the 
binaries involved in the leak. 

A note about using UMDH: You can trace 
both Microsoft and non-Microsoft related 
processes and services by running UMDH 
commands; however, to actually capture the 
component name involved in the leak, you'll 
need the corresponding symbol file for that 
component. Some vendors don’t make their 
symbol files public; if you don’t have access 
to the symbol file, the information in the 
UMDH output file will be limited to only the 
component's load address and exclude the 
component name and function being exe- 
cuted. So, to get any meaningful output from 
UMDH, you should specify 
at least the Microsoft symbol 
path, as explained earlier. 


Interpreting UMDH 
Output 

When you open the output 
file—comparefiles.txt in Fig- 
ure 1—at the top you'll see 
the first thread of execution 
(thread for short), two lines 
followed by a succession 


in memory 


of lines grouped together. 
Threads represent a running 
task inside a process; they're 
components and functions 
that have memory allocated. 
Every process must have at 
least one thread to be able 
to load and run. The top two 
lines are the thread’s summary 
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Amount of memory allocated 
in hexadecimal 


information, and the group of lines under 
the summary information represents each 
thread entry in that process. Let’s look more 
closely at the output and what it means. 

The first two lines of the thread stack 
show comparative memory-usage informa- 
tion from the two snapshots. The first hexa- 
decimal number, +113faf000, represents the 
delta change in memory consumption from 
the first snapshot to the second. So in our 
example, you can see a change of more than 
4.6GB of memory (113faf000-0 = 4.6GB). To 
see the delta value, you can convert the hex 
value to decimal by using the Windows cal- 
culator’s Scientific view (you can access the 
calculator either through the Start menu or 
by running calc.exe). 

The next number, 81df8, represents the 
number of actual allocations that occurred 
to consume the memory. 81df8 hex repre- 
sents 531,960 allocations. This high number 
of allocations is normal, considering this 
thread is responsible for more than 4GB of 
memory. The next part, BackTrace8117, is 
the internal ID with which the system has 
tagged this thread. 

The thread at the top of the UMDH out- 
put is the thread that consumed the greatest 
amount of memory, so that’s where you'll 
start investigating the memory-leak prob- 
lem. Each thread in the output file consists 
of the component’s load address (e.g., in 
the first entry, 77EDCA76), the component 
filename (or DLL name—ntdll in the first 
entry), and just after the ! sign, the func- 


hexadecimal 


Component’s 
load address 


Function Name 


Component Name 


Figure 1: UMDH output showing topmost thread 
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Number of memory allocations in 


tion within the DLL that was executed (e.g., 
!$$VProc_ImageExportDirectory). 

You can use the UMDH output to start 
your troubleshooting investigation by 
reviewing the components in the output file 
and, if necessary, updating them to their lat- 
est versions. If the components involved in 
the process are up-to-date and the leak still 
occurs, your next step is to call tech support 
or research the problem further. 


Using UMDH Information 

You can further narrow down and possibly 
solve the problem by researching it online. 
For example, I searched on information 
from the sample UMDH snapshots—the 
string “repdrvfs wmi leak,” including “wmi” 
because the leak occurred in a Windows 
Management Instrumentation (WMI) pro- 
cess and “repdrvfs” because that compo- 
nent name was high on the thread stack (i.e., 
the thread that was consuming the most 
memory) and repeated several times (indi- 
cating that the repdrvfs DLL was involved 
in the consumption of memory). My search 
found a TechNet article that provided the fix 


for the problem, at support.microsoft.com/ 


kb/838884. Thus, when you select compo- 


nents to search, you'll probably be most suc- 
cessful searching those that are both high on 
the thread stack and repeated. 

Of course, you won't solve all leaky-appli- 
cation problems by using UMDH. How- 
ever, using UMDH for troubleshooting leaky 
processes will provide key information that 
can significantly reduce 
the time needed to resolve 
a technical support issue. 
Check out the Microsoft 
Advanced Windows Debug- 
ging and Troubleshooting 
blog (blogs.msdn.com/ntde 
bugging) for further guidance 
in identifying and resolving 
Windows technical issues. 
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MICHAEL MORALES 


(morales@microsoft.com) is a 
senior escalation engineer for 
Microsoft's Global Escalation 
Services team. He specializes 
in advanced Windows debug- 
ging and performance-related 
issues. For information about 
Windows debugging, visit 
blogs.msdn.com/ntdebugging. 
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Mimic Vista’s Event Triggers in XP 
Some of our customers have started migrat- 
ing their client OSs from Windows XP to 
Windows Vista. They're pretty impressed by 
the Vista features that simplify their admin- 
istrative workloads. One such feature is the 
Event Viewer’s Attach Task To This Event op- 
tion, which lets you create an event-triggered 
action, such as sending an email notification 
when a specific event occurs. (To access this 
option, type Event Viewer in the Start menu's 
search box, and click the Event Viewer icon 
that appears under the Programs heading. 
In Event Viewer, double-click an event ID in 
the Summary of Administrative Events box to 
bring up the Attach Task To This Event option 
in the Actions pane.) 

Once customers get a taste of using 
event-triggered actions in Vista, they 
often ask how they can create them on 
the remaining XP workstations in their 
domains without having to use third-party 
software. | provide them with a relatively 
simple solution that uses a VBScript script 
and eventtriggers.exe, a command-line 
utility included in Windows Server 2003 
and XP. (Eventtriggers.exe isn’t included in 
Windows 2000 and won't run if you copy it 
to Win2K. Vista doesn't include this utility 
because the Attach Task to this Event feature 
makes it unnecessary.) 

The solution is as follows: 

1. Launch Notepad and enter the script 
in Listing 1, replacing all the string values 
in double quotes with your own informa- 
tion. (Leave in the double quotes.) You can 
download this script by going to www 
.windowsitpro.com, entering 99979 in the 
InstantDoc ID box, clicking Go, then click- 
ing the Download the Code Here button. 

2. Save the script as Email.vbs. 


Listing 1: Email.vbs 


Set objEmail = CreateObject ("CDO.Message") 
objEmail.From = "me@mydomain.com" 
objEmail.To = "me@mydomain.com" 
objEmail.Subject = "An error has occurred" 


objEmail.Textbody = "Workstation1@@ has encountered an error." 


objEmail.Send 
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3. Copy the Email.vbs script to the XP 
workstation. For this example, let’s put it in 
the C:\utils folder. 

4. On the XP workstation, launch a 
command-prompt window and enter the 
command 


Eventtriggers /Create 
/TR "Event Triggers for All Errors" 
/T ERROR /TK C:\utils\email.vbs 


(Although this command appears on sev- 
eral lines here, you'd enter it all on one line 
in the command-prompt window.) In this 
command, the /TR parameter provides the 
trigger’s name (Event Triggers for All Errors), 
the /T parameter specifies the type of event 
that the trigger should capture (ERROR 
events), and the /TK parameter identifies 
the trigger action (execute Email.vbs). 


When an error appears in any log file on 
that workstation, Email.vbs is executed and 
sends an email notification to the recipient 
designated in the script. You can fine-tune 
the Eventtriggers command using its many 
parameters to capture specific events 
based on the event ID. For a list of the avail- 
able parameters, run the command 


Eventtriggers /Create /? 


in acommand-prompt window. 
—Jian Bo 
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PsExec to the Rescue 

In my previous position, | sometimes had to 
grant temporary access to remote servers to 
the administrators of other departments in 
that company. Sometimes these administra- 
tors forgot to log off the remote server after 
they completed their tasks, thus locking out 
other administra- 
tors when the Win- 
dows Server 2003 
Terminal Services 
session limit had 
been reached. Usu- 
ally the offending 
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Be Part of a Windows IT Pro 

Cover Story 

The Reader to Reader (R2R) section is writ- 
ten for IT pros by IT pros. That's what makes 
it such a hit among Windows IT Pro readers 
and Web site visitors. To showcase the 
talent and creativity of these IT pros, we're 
planning to feature the most interesting 
R2R write-ups in a cover story. 

So, if you've come up with a creative 
shortcut, solved a plaguing problem, 
turned a tedious task into an effortless one, 
or come across information other IT pros 
should be aware of, let us know about it. 
You don't need to be a skilled writer. We 
have editors who will turn your write-up 
into polished prose. All you need to do is 
tell us in 1,000 words or less what prompt- 
ed you to come up with the shortcut, solu- 
tion, or streamlined task and how it works. 
If you're sharing information, let us know 
how you came across that information. You 
can send your R2R write-up (or write-ups if 
you'd like to send more than one) to r2r@ 


windowsitpro.com. 


We'll be sending all the R2R write-ups 
we receive in the next few months to our 
technical editors, who will decide whether 
to accept them for publication. A panel will 
then review all the accepted R2R submis- 
sions and select the most interesting write- 
ups for the cover story. The accepted R2R 
write-ups that aren't selected for the cover 
story will be printed in the R2R section in 
future Windows IT Pro issues. Whether an 
R2R write-up is part of the cover story or 
printed in the R2R section, the author will 
receive $100 when it’s published. 

Send your R2R write-up to us today! 


PsExec is No. 7 on Jerry Cochran's list 
of 10 network security assessment 
ivere)mat-Ke-lan a I\VemNUiarelel a (lakieclaleDlere 
ID 47648). 
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administrators were out to lunch or had left 
for the day. This always seemed to happen 
when there was a problem that needed 
immediate attention on that server. Typically, 
| had used Terminal Services Manager to log 
off the administrator. However, there were 
times when that wasn't an option because 
the remote server | needed to access was the 
one running Terminal Services Manager. 

When | was searching the Internet for a 
solution to this problem, | came across a 
discussion of the PsExec tool in the Win- 
dows Power Tools column “PsExec” July 
2004, InstantDoc ID 42919). PsExec lets you 
launch interactive command-prompt ses- 
sions and run programs on remote systems 
without having to install client software on 
those systems. This tool looked promising, 
so | downloaded the latest version from the 
Microsoft TechNet website (technet.micro 
soft.com/en-us/sysinternals/bb897553.aspx). 

| decided to try PsExec in a test environ- 
ment. | ran a command that followed the 
syntax 


C:\psexec \\ServerName 
-u Domain\UserID cmd 


where ServerName was the name of the 
remote server | needed to access and Do- 
main\UserID was the username | wanted to 
use to log on to that server. The cmd argu- 
ment told PsExec to launch an interactive 
command-prompt session on that server. 

After | entered my password, the remote 
server's command-prompt window ap- 
peared. | then ran the Query Session com- 
mand: 


Query Session 


The output showed the user IDs of the 
administrators who were connected to the 
server. | was then able to use the following 
Logoff commands with the administrators’ 
IDs to log off those administrators: 


Logoff 2 
Logoff 3 


Afterward, | reran the Query Session com- 
mand to see if those administrators were 
logged off. The Logoff commands were 
successful. 

Because this was a test environment, | 
knew that the administrators | logged off 
weren't running any important tasks on the 
remote server. However, in a production 
environment, you need to make sure that 
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the administrator you're about to log off 
isn't running an important task. You can use 
the Tasklist command to check which tasks 
are running and who is running them. As- 
suming youre still logged on to the remote 
server, you can use the command 


Tasklist /v /fi "STATUS eq running" 


From that point on, | used PsExec to log 
off administrators on all remote servers. 


Using Terminal Services Manager to access 
a remote server takes a couple of minutes, 
whereas using PsExec takes only a couple 
of seconds. As this practical usage of PsExec 
demonstrates, sometimes you need to 
keep an open mind and think beyond 
GUIs. 
—Tim Bolton, Microsoft infrastructure technician, 
Lightedge Consulting Services 
InstantDoc ID. 99982. 
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Q: If Microsoft releases a replace- 
ment for a buggy security update, 
do we need to uninstall the earlier 
update before installing the re- 
placement? 


A: itshouldn't be necessary to uninstall the 
buggy update. Windows Server Update Ser- 
vices (WSUS) will either reinstall the new ver- 
sion or prompt you to approve the update for 
installation, depending on your configuration. 
In some cases, you must rerun discovery for 
Windows to realize that a new version of the 
update needs to be installed on applicable 
computers. 


—Randy Franklin Smith 
InstantDoc ID 100003 


Q: How can | list all the members 
of an Active Directory (AD) group? 


A: The Windows Server 2003 Dsget 
command is useful for getting informa- 
tion about AD objects, including groups. 
When you use Dsget with the -members 
switch, it will output the distinguished 


savilltech,dc=com" -members 


"CN=Barry Allen,OU=Justice 
League ,DC=savilltech,DC=com" 
"CN=Kara Zor-E1,0U=Justice 
League ,DC=savilltech,DC=com" 
"CN=Helena Bertinelli, 
OQU=Justice League,DC= 
savilltech,DC=com" 

"CN=Ted Kord,OU=Justice 
League ,DC=savilltech,DC=com" 
"CN=Jason Todd,OU=Justice 
League ,DC=savilltech,DC=com" 
"CN=Dick Grayson,OU=Justice 
League ,DC=savilltech,DC=com" 


If you want to display information other than 
the DN, you can use the the pipe (|) character, 
which lets you pass the output of one com- 
mand as input to another command. In this 
case, you can pipe the output of Dsget to 
another Dsget query to gather the desired in- 
formation. For example, if you want the SAM 
ID, User Principal Name (UPN), and descrip- 
tion, you would use the command 


dsget group "cn=Members, 
ou=Justice League,dc=savi11 
tech,dc=com" -members | dsget 
user -samid -upn -desc 


Notice that the code after the pipe char- 
acter in the command is the second Dsget 
command, which gathers the account 
detail displayed in Table 1. 


—John Savill 
InstantDocC ID 100002 


Table 1: Dsget Command Output 
Description [sami [urn | 


Barry barry@savilltech.com 


names (DNs) of all members of a group, Supergirl Kara kara@savilltech.com 
as the following command and output Huntress Helena helena@savilltech.com 
shows: Blue Beetle Ted ted@savilltech.com 


dsget group "cn=Members, 
ou=Justice League,dc= 


Jason jason@savilltech.com 
Dick dick@savilltech.com 


Paul Robichaux | troubleshooter@robichaux.net 


John Savill | jsavill@windowsitpro.com 
Randy Franklin Smith | rsmith@ultimatewindowssecurity.com 
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Q: Is a Windows Server 2003 
and Windows Server 2008 
mixed-cluster possible? 


A: No. Windows Server 2008 introduces 
a lot of clustering changes, including 
Kerberos authentication, no support for 
parallel SCSI, and a completely modified 
API that renders Server 2008 cluster- 

ing incompatible with Server 2003 
clustering. There are no rolling upgrades 
to move a cluster from Server 2003 to 
Server 2008. 


—John Savill 
InstantDocC ID 100001 


Q: We've been testing Outlook 
Mobile Access (OMA) and have 
found that our users’ pass- 
words are being cached. How 
do we control this behavior? 


A: Well, that depends on your users’ 
phones. Here's the situation: OMA uses 
basic web authentication over Secure 
Sockets Layer (SSL) to send an authenti- 
cation request to users’ mobile devices, 
which then can either prompt the users 
for credentials or return a cached set of 
credentials. To prevent the annoyance 
of needing to continually retype your 
password ona 10-key numeric pad, 
most cell-phone manufacturers include 
some kind of caching mechanism in 
their phones. 

OMA isn't the one caching 
authentication information, so you 
can do nothing on the server side to 
prevent the behavior you describe. 
Whether you can clear the cache 
and stop the behavior depends on 
the phone. Some newer phones 
(e.g., Sony Ericsson's T610) include 
a separate password cache that has 
a shorter lifetime than the phone's 
typical cache. Contact the manu- 
facturers of your users’ phones to 
determine whether you can control 
those phones’ caching behavior. 


—Paul Robichaux 
InstantDoc ID 100004 
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Prevent horror stories in 
your shop by following some 
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ecurity horror stories tend to 
wake and shake IT pros, forcing 
them to think about the safety of 
assets in their organizations. No 


one wants 15 minutes of fame on 


Internet security blogs as a prime 
example of what not to do. To prevent security 
disasters, the wise systems administrator avoids 
missing something obvious, watches out for the 
rogue colleague and the clueless CIO, quickly 
tackles user antics, and anticipates the unex- 
pected. The shrewd IT leader also turns security 


nightmares into proactive strategies and follows 


tips, such as the ones I provide in this article, to 


protect valuable information. 
www.windowsitpro.com ». in IT with You Windows IT Pro. OCTOBER 2008 25 


® SECURITY NIGHTMARES 


Missing Something Obvious 

One of the most common security mis- 
takes is overlooking obvious threats. For 
example, I frequently hear stories about a 
stolen or lost laptop that holds thousands 
of confidential records or credit card data. 
Why is it possible to copy private data to 
a laptop computer in the first place? Why 
isn’t the data protected by some form of 
encryption? 

Another common tale centers on the dis- 
gruntled employee who maliciously deletes 
business-critical data. If the company in 
question had set up file and folder permis- 
sions and had regularly secured file server 
backups, the amount of damage that such 
an employee could cause would be mini- 
mal. These obvious security holes are easy 
to plug. 
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Rogue Systems Administrators 
Another security risk is that of the rogue 
systems administrator. IT managers should 
beware of laid-off and vengeful colleagues 
who have planted “dead-man switches” 
throughout the IT infrastructure. These 
switches could trigger a routine that deletes 
critical data. At other times the switches 
could activate scripts that do more damage, 
such as reconfiguring or deleting critical 
domain accounts, changing every password 
in the environment, and locking everyone in 
the company out of their computers. 

These possibilities jar IT pros because of 
the infinite number of ways that someone 
who has complete access to the network can 
cause damage. The rogue systems adminis- 
trator knows what he or she wants to do and 
how to bypass any security measures. 


Lock Out Spambots 


Businesses with public websites 


by Anne Grubb 
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The Clueless ClO 
Clueless CIOs, although not malevolent, can 
be dangerous nonetheless. Have you ever 
heard of a CIO who blindly ordered a change 
that ended up making the IT environmentless 
secure? At one organization a CIO insisted on 
being added to the Enterprise Administrators 
group because, the CIO argued, managers 
are higher on the organizational chart than 
systems administrators. Unfortunately, the 
CIO brought his son to work with him on the 
weekend and logged the boy on to the net- 
work using privileged credentials. It took the 
company’s administrators two weeks to put 
everything back in order, including returning 
several explicitly labeled user accounts to 
their original names. 

In another enterprise, a CIO acting on 
behalf of a CFO circumvented a policy 


Systems specialist Lindy White's solution holds 
back spammers while letting legitimate email 
through a county's website 


2G OocTOBER 2008 Windows IT Pro 


face the trade-off of providing 
unfettered access to legitimate 
site users versus blocking secu- 
rity threats to the site, such as 
hackers and bots. Local “org” websites, such as governments and 
school districts, often publish employees’ contact information—but 
posting that information also makes the site a prime target for spam- 
bots that comb the Internet for email addresses to collect, or reap. 
Coconino County (Arizona) employees, whose contact information 
is published on department pages on the county website (www_ 
.coconino.az.gov), noticed a steep increase in spam early this year, 
despite the use of a spam-filtering product. County systems special- 
ist Lindy White solved the problem by writing an ASPNET 2.0 HTTP 
module that intercepts county email addresses being accessed from 
outside the county's Microsoft IIS web server, then redirects legitimate 
users to a contact form. | spoke with Lindy about how he developed 
his innovative solution and how it has drastically reduced the spam 
in Coconino County employees’ mailboxes. 
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Q: Let's start by talking about the county site and what made it a 
target for spambots. 


A: On our public site, all our departments have a home page, 
and some have several additional pages. Department employees 
administer the content on those pages using a content management 
system (CMS). They're very reliable and responsible about the kind of 
information that they're publishing. Because we want our services to 
be reachable, [the employees] all make sure there are plenty of email 
addresses on these department pages. 

Starting this year, we were filtering out roughly 400,000 emails a 
month, which isn't atypical for an organization. But then we started 
seeing a straight-line increase in spam going up maybe 50,000 spam 
messages a month. | wondered whether our county website was 
contributing to this increasing load on our spam filter, with the num- 
ber of email addresses we were exposing to web crawlers, web-bots, 
and spambots. You want Google and Yahoo! to crawl your site, but 
you don't want the crawlers that are specifically there to reap email 
addresses. 


www.windowsitpro.com 


restricting users from installing software on 
their own laptops. The CFO’s teenage son 
wanted to install games on his father’s pow- 
erful laptop to use at LAN parties. Unfortu- 
nately, the games were laden with viruses 
and worms. After the CFO reconnected the 
laptop to the corporate network, it infected 
other computers. Even CIOs acting in good 
faith can put your entire network at risk. 


User Antics 

IT pros have to keep a close eye on users, 
but you might not realize the extent to which 
users can unknowingly compromise your 
organization. Some have actually given their 
passwords to survey-takers in exchange fora 
bar of chocolate. Security guards have been 
known to disable the alarm on the emer- 
gency exit to a data center in order to prop 


SECURITY NIGHTMARES ®& 


open the outer door for a smoke break. Sto- 
ries of user antics prove the adage “Nothing 
is foolproof to a sufficiently talented fool.” 
What IT pros can learn from such stunts is 
that the average worker can either be oblivi- 
ous to or very creative about getting around 
security policies and restrictions. 


Who Could Have Guessed? 


Some security threats are almost impossible 
to anticipate. Even the most diligent, proactive 
security professionals can’t foresee horror sto- 
ries that don’t fit into the usual paradigm. For 
example, a worm-infested antivirus update 
server could infect all the other computers in 
an organization. Likewise, laptop computers 
sent to a manufacturer for repair could return 
riddled with spyware. Although risks such 
as these are difficult to predict, IT managers 


should be on the lookout for them and ready 
to react at the first sign. 


What To Do 


In their eagerness to tackle any immedi- 
ate concerns that might arise from other 
companies’ horror stories, IT pros should 
remember to continually and analytically 
examine their entire security configuration. 
If they become too focused on avoiding 
the threat of the moment, they could miss 
more dangerous security problems. Don’t 
be swayed by vendors offering a quick band- 
aid for a problem your organization might 
not have. Also, think about whether to use 
scare tactics to awaken end users to dangers 
that are lurking behind the scenes. 

Shop wisely. Beware of consultants and 
salespeople who spread disaster tales and 


Then | took off my white hat and put on my black hat. | wrote my 
own spambot, turned it loose against the county site, and came up 
with almost 600 unique county email addresses. That told me every- 
thing | needed to know. We needed to stop handing those [email 
addresses] out to spambots while still making those addresses avail- 
able to people. 


Q: How did you solve the spambot problem? 


A: | proposed several solutions and pitched the best one to Kevin 
LaBranche, my division manager. Microsoft .NET Framework lets you 
write some very low-level hook-ins to the IIS web server. So | decided 
to write an HTTP module that sits in the web server's memory and 
basically looks for email addresses that are leaving the web server to 
go to somebody's computer. At that point, | chose to substitute a form 
with CAPTCHA, to enable my program to distinguish whether a person 
or a computer was accessing an email address. The email form hides 
the email address, but automated spammers can still fill out the form 
and submit it. The CAPTCHA test is a second level of security directed 
at preventing that. The module is all callbacks; it's not linear program- 
ming at all, it’s all event driven. 

When the HTTP module snags an email address, the module con- 
nects to a database and checks a list of email addresses maintained 
there. If that email address isn’t on the list, [the module] adds it and 
assigns it a unique number. If the email address is on the list, [the mod- 
ule] just reads that number and substitutes it for the email address, so 
that your random web-bot will never see it. 


Q: How complex was the solution to develop? 


A: Where the complexity came in was that the CMS editors needed to 
see the actual email addresses, not the contact ID of the form. | think | did 
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what was probably pioneering work in how to selectively make excep- 
tions for certain pages that you might classify as administrative pages 
and display email addresses to the employees who needed them. 


Q: When you started using the HTTP module, what happened to 
the amount of spam employees were receiving? 


A: | brought the solution online and put it in production in late Feb- 
ruary. In March, the number of spam caught in the filter was still going 
up in that same straight line, 50,000 a month. But in the March-April 
timeframe, we saw the first drop that we had ever seen. That curve 
dropped off by maybe 44,000 spam [messages]. 


Q: You're primarily a system- and server-level scripter and pro- 
grammer and don't work with end users much. Nevertheless, you 
solved a big end-user problem. Did you get any recognition within 
your organization for your solution? 


A: Yes, | was absolutely astonished to learn that I'd been nominated 
for a county award because of the solution. Nobody cares about the 
behind-the-scenes programming that | usually do. But whole depart- 
ments were coming up to me and saying how they were so tired of 
all the spam they were getting on their public email addresses and 
thanking me for my hard work. 
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with software and leave 
the PBX in place. 


Transition to VoIP with innovative 
software from Microsoft. Software that 
integrates with Windows Server® Active 
Directory” services, Microsoft® Office, 
and Microsoft Exchange Server. Keep 
your existing PBX hardware and still get 
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conferencing, anywhere access, and 
click-to-call functionality from familiar 
desktop applications. 

A software-powered VoIP 
solution, based on Microsoft Office 
Communications Server 2007, helps you 
increase the productivity and flexibility of 
your workforce—especially your mobile 
users. Change the way you communicate 
without switching your switch. Learn 


more at microsoft.com/voip 
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then peddle their own wares as the only 
answer to your potential nightmares. Such 
marketers might have only limited knowl- 
edge of your specific security environment. 

For example, without looking too hard 
on the Internet you can find some frighten- 
ing stories that involve SQL injection attacks. 
The way to protect against such attacks is to 
ensure that your web application validates 
input data. Some vendors sell software that 
does this. Protecting against SQL injection 
attacks is a priority if you are running a 
public-facing website that interacts with a 
database but is less urgent if the only web 
application in your organization is a seldom- 
used intranet site that contains little impor- 
tant data. In one case a decision-maker at a 
company purchased an expensive piece of 
data validation software although the only 
web-driven databases at the business were 
used by the HR department to schedule 


Such a tactic illustrates why some orga- 
nizations have a policy disallowing the 
connection of unauthorized USB storage 
devices to company computers. It brings a 
complicated policy into focus and makes 
security policies seem less arbitrary to the 
people they affect. 

Another area in which scare tactics 
might help is in preparing non-IT staffers 
for social-engineering attacks. For example, 
someone phones an employee, pretending 
to be from the IT department and asking 
for the employee’s password. The employee 
reveals the information and suddenly loses 
control of his or her user account. You could 
use this kind of horror story to explain why 
IT staff members must present identifica- 
tion before being allowed to reset pass- 
words. 

Likewise, clever mischief-makers might 
go to a user’s workspace, pick up the phone 


Good IT security practice is not only 
safeguarding an asset but also 
realizing why you must do so in 


the first place. 


annual leave. To avoid such costly mistakes, 
look at your overall operations before mak- 
ing security decisions. 

Scare the wits out of users. Although 
bombarding IT pros with horror stories 
can lead to misdirected resources, it’s OK 
to occasionally frighten non-IT staff mem- 
bers to help them understand the reasons 
behind your sometimes baffling security 
policies. They might learn, for example, 
from the experience of a financial institu- 
tion that hired a company to test its security. 
The company scattered USB thumb drives 
around the institution’s parking lot. Workers 
passing through picked up the devices and 
promptly connected them to their desktop 
computers, curious as to the contents of 
the discarded items. Unbeknownst to the 
employees, the company had hidden Trojan 
horse software on each device that activated 
when users accessed what seemed to be 
a harmless collection of pictures and then 
transferred complete control of the user's 
computer to outsiders. 
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there, and call the IT department for a 
password reset. This tactic could fool the IT 
department into thinking that the display 
of the incoming caller’s extension offered 
proof of identity. Telling your users stories 
such as these will make them more aware of 
security risks and less likely to fall for them. 


Tips to Avoid Becoming Your Own 
Security Horror Story 

Think sensibly about the risks your organi- 
zation faces and deal with them in a struc- 
tured manner. Avoid diverting all your funds 
to tackle a specific threat just because you've 
recently heard rumors about it. Consider 
thunderclouds in terms of how seriously 
they could affect your organization rather 
than how they already impacted a victim 
in a security nightmare. Good IT security 
practice is not only safeguarding an asset 
but also realizing why you must do so in 
the first place. When you understand why, 
you can prioritize the protection of more 
important assets over less important ones, 
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thus best utilizing the resources you have 
available for security projects. 

An important way to prevent safety 
snafus is to pay attention to tips designed 
to help you be proactive in protecting your 
data. The following seven frequently asked 
security questions and answers from the 
Windows IT Pro archives can help keep you 
out of the disaster maelstrom. 


TIP 7 


Q: How can I perform a high-level security 
assessment of my company’s computing 
environment? 

A: Check out the Microsoft Security Assess- 
ment Tool (MSAT) at technet.microsoft. 


com/en-us/security/cc185712.aspx. After 


extracting the content, execute the .msi file 
to install the assessment tool and view the 
user guide. 
MSAT doesn’t perform system scanning. 
It’s a series of 172 questions that ascertains 
technical and business processes and pro- 
duces a report about security concerns 
based on the information entered. Although 
administrators can use the tool directly, 
Microsoft partners can also run it to help 
assess their clients’ security status. 
InstantDoc 1D 93696, 
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TIP 2 


Q: How can I improve my computer usage 
safety? 

A: The amount of malicious software on the 
web has increased greatly. Here are some 
guidelines to help protect you. 

Practice safe browsing. Avoid unfamiliar 
or untrusted websites, especially sites that 
advertise deals that sound too good to be 
true. Don’t install unfamiliar third-party 
toolbars. I recommend that you use only 
the MSN toolbar (toolbarmsn.com) or the 
Google toolbar (toolbar.google.com). You 
can increase your browsing security by tak- 
ing these four steps: 

1. Set the Microsoft Internet Explorer 
(IE) security level to High. 

2. Add websites you consider safe to 
Trusted Sites. 

3. Use plain text to read the email mes- 
sages you receive. 

4. Block pop-up windows in your 
browser. 
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See www.microsoft.com/athome/security/ 


online/browsing_safety.mspx for directions 
on how to configure IE to take these precau- 
tions. For more tips on safe surfing, visit www 
.intranetjournal.com/spyware/prevention 
shtml. 

Apply only approved security updates. 
Always follow the appropriate method to 
update your machine and use fixes from 
windowsupdate.microsoft.com. Be sure 
that your machine is running the latest 
patches. 

Check before you click. Exercise caution 
when you receive Instant Messaging (IM) 
file transfers or links from both known and 
unknown sources. A malicious user can tap 
your Buddy/Contact lists so that it looks like 
someone you knowis sending you a link toa 
file. Before you click any links, always verify 
with the sender that he or she did in fact 
send you the link. 

Implement antivirus protection. Always 
run antivirus products with up-to-date virus 
definition files. You can find a list of antivirus 
suppliers at www.microsoft.com/security/ 
partners/antivirus.asp. You can also manu- 
ally run the Microsoft Malicious Software 
Removal Tool. Finally, you should use anti- 
spyware software. 

InstantDoc 1D 49384 
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TIP 3 


Q: When should I log on using the Admin- 
istrator account? 

A: Security best practices dictate that you 
shouldn’t use the Administrator account 
to perform everyday tasks because of the 
risks associated with accidentally introduc- 
ing problems as a result of using elevated 
privileges. To steer clear of such problems, 
you should create a regular user account 
for day-to-day purposes. Then, when you 
need to perform a task that requires local or 
domain administrative privileges, use the 
Runas command to complete such tasks. 
This command restricts the administra- 
tive abilities to the job that you’re on. For 
example, to open a command prompt with 
local administrative privileges, enter the 
command 


runas /user:<local machine>\ 
administrator cmd 
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To open a command prompt with 
domain administrative privileges, enter the 
command 


runas /user:administrator@<domain name> 
cmd 


Be aware that you can use the NetBIOS 
naming format with this command. For 
example, to open a command prompt with 
domain administrative privileges on my 
network, I typed 


runas /user:savilltech\administrator 
cmd 


Any commands that you enter at the 
new command prompt will run as the user 
entered in the Runas command with that 
user’s associated privileges. 

You can replace “cmd” with any com- 
mand. For example, to start the Microsoft 
Management Console (MMC) Computer 
Management snap-in, type 


runas /user:<computer/domain>\<account> 
"mmc %windir%\system32\compmgmt.msc" 


To start the MMC Active Directory Users 
and Computers snap-in, type 


runas /user:<computer/domain>\<account> 
"mmc %windir%\system32\dsa.msc" 


For example, to open this snap-in on my 
computer, I typed 


runas /user:administrator@savilltech. 
com "mmc %windir%\system32\dsa.msc" 


Be aware that if you run the Runas 
command on a client computer (e.g., one 
running Windows XP or Windows 2000 
Professional Edition), the command will fail 
unless you've installed the administration 
tools. Although using the Runas command 
is slightly more work, you can create short- 
cuts for each command that you routinely 
run and make your system much safer. 
If you experience problems, be sure that 
the Secondary Logon service is running, 
because the Runas command requires this 
service for operation. 

InstantDoc 1D 40978 
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TIP 4 


Q: How can I protect service accounts from 
abuse? 
A: Administrators often create specific 
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accounts for certain services to operate 
under (although more products are now 
taking advantage of Local System to avoid 
this requirement). Users who know the 
password for a service account can log on, 
making it difficult to track their activities. 
When an administrator leaves, his or her 
account might be disabled, but service 
accounts might not have their passwords 
changed. One way to protect these accounts 
is to stop users from being able to employ 
them to log on. You can do so by removing 
the following rights: 

e Logon locally. This right lets you log on 
at the console with the account. 

e Access this computer from the network. 
This right gives access to resources such 
as a shared folder on other computers. 
(Be aware that if the service needs to get 
to remote resources, you can’t disable 
this right.) 

e Logon through Terminal Services. This 
right lets you log on via Windows 2000 
Server Terminal Services. 


Under usual circumstances, service 
accounts require only the Log on as a service 
right, so ensure that they have this permis- 
sion. However, if the service requires remote 
access to other resources, it might need the 
Access this computer from the network right. 
The easiest way to remove the three rights 
is to create a group and place all the service- 
type accounts in this group. Then develop a 
Group Policy Object (GPO) that denies the 
rights discussed and apply it at a level that 
affects all user accounts (e.g., the domain). A 
deny always overrides an allow. 
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TIP 5 


Q: How can I generate a hash value for a 
file or folder? 

A: You might encounter situations in which 
you want to ensure that one file is the 
same version and has the same content as 
another file—for example, when you send 
a file to someone, you might want to ensure 
it hasn’t been corrupted or altered. A hash 
is an alphanumeric string that’s generated 
according to a file’s contents. If the file 
has been changed in any way, the hash 
value changes as well. Microsoft created 
a utility to generate hash values. You can 
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download it at download.microsoft.com/ 


download/c/f/4/cf454ae0-a4bb-4123-8333- 
alb6737712f7/windows-kb841290-x86-enu. 

_exe. The program is extracted to a folder 
that you specify and consists of a readme 
file and the fciv.exe image, which generates 
the hash values. To generate a hash for a file, 
use the syntax 


fciv d:\temp\yodapepsi .mpg 


After you enter the command, you'll see 
an on-screen message like the following, the 
generated hash value, and the correspond- 
ing filename: 


// 

// File Checksum Integrity Verifier 
version 2.95. 

// 

253f066FFa7c50e1e03 Fa588F23e3230 d:\ 
temp\yodapepsi .mpg 


To generate hashes for every file in a 
folder, simply specify the folder name, as 
this example shows: 


fciv d:\temp 


The command outputs information sim- 
ilar to this on the screen: 


// 

// File Checksum Integrity Verifier 
version 2.95. 

// 

5d5d1f14c8704e935a87ad78fc535bea d:\ 
temp\79298Training.pdf 

8658bf85ba3ebe184c6d5cd0269a9e89 d:\ 
temp\BO-DFRS Transcript.doc 

427048a497768d91cd57e29Fb9199d2b d:\ 
temp\BODFRS Live Meeting.wmv 

253f066FFa7c50e1e03 Fa588F23e3230 d:\ 
temp\yodapepsi .mpg 


The readme file contains more examples 
of how to use fciv.exe, including employing 
different algorithms and generating hash 
values for entire tree folders. 
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TIP 6 


Q: What authentication methods are avail- 
able for Active Directory (AD)? 

A: Windows 2000 and AD introduced Kerber- 
os as the principal authentication mecha- 
nism for all Win2K and later machines. 
However, earlier authentication protocols 
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are maintained for backward compatibility. 
Here’s a summary of the available ones. 

LAN Manager. Microsoft and IBM created 
this protocol for OS/2. It’s the least secure of 
all the authentication protocols and is used 
primarily by Windows Me and Windows 9x. 
LAN Manager uses a two-part, 32-character 
password hash. The first seven characters of 
the password make up the first part of the 
hash, and the last seven characters make up 
the second part (thus the 14-character maxi- 
mum password size). Consequently, if you 
have a seven-character password, the second 
16 characters of the password hash would 
be the same as the first 16 characters, thus 
revealing to an attacker that the password is 
only seven characters. 

NT LAN Manager (NTLM). This is a 
more secure challenge-response authenti- 
cation protocol than LAN Manager. It uses 
56-bit encryption for protocol security and 
stores passwords as an NT hash. Windows 
NT 4.0 Service Pack 3 (SP3) and earlier cli- 
ents use this protocol. 

NTLMv2. This version of NTLM uses 
128-bit encryption and is employed on 
machines running NT 4.0 SP4 and later. 
This is the most secure challenge-response 
authentication available. 

Kerberos. Kerberos is essentially a ticket- 
based authentication protocol. See the FAQ 
“What is Kerberos?” at www.windowsitpro 
.com/article/articleid/15294/15294.html for 
a more detailed explanation. You can also 
find out more by reading “Win.NET Server 
Kerberos,’ October 2002, InstantDoc ID 


26450. Kerberos is the most secure authen- 


tication method, and you should use it 
whenever possible. 
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TIP 7 


Q: If I use the Encrypting File System 
(EFS) to protect confidential files, how 
can I avoid losing that information when 
my organization upgrades its computers, 
or if a user loses a computer and I need to 
restore files from backup? 

A: The best way to prevent data loss is by 
backing up the data recovery agent cer- 
tificate and/or the user’s EFS certificate and 
private key. Without one of these certificates 
and its private key, there is usually no way to 
recover an encrypted file. 
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If your computers are part of an Active 
Directory (AD) domain, you can take advan- 
tage of a Group Policy feature that lets you 
set up a single data recovery agent certificate 
that you can use to decrypt any encrypted 
files in the domain. Ifa central data recovery 
agent isn’t an option, then you must export 
each user’s EFS certificate along with its 
private key and store it in a safe place. 

To export a certificate, log on as the 
user in question and open the Microsoft 
Management Console (MMC) Certificates 
snap-in (not the MMC Certificate Templates 
snap-in or the MMC Certification Authority 
snap-in). Open the user’s Personal\Cer- 
tificates folder and find the EFS certificate. 
Right-click and select All Tasks, Export. Click 
Next on the first page of the wizard, select 
Yes, export the private key, and click Next 
until prompted for a filename. Save the file 
to some type of removable media and finish 
the wizard. Now store the certificate in a 
physically safe place. 

In the future, if a user is unable to access 
a file—whether it has been restored to a 
new computer or Windows has been rein- 
stalled—just use the Certificates snap-in to 
import the certificate, and you have solved 
your problem. A final note: Your concern 
about losing data is well placed. There is no 
back door into EFS; if you lose the key(s) to 
it, you lose your data. 
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Security Blanket 
By following practices such as the ones out- 
lined in these tips and by taking a proactive 
approach to monitoring your entire security 
configuration, you can avoid becoming an 
example of a security horror story. If you 
invest time and resources in anticipation of 
a disaster, it’s likely that the calamity won’t 
occur. You’ll save money in the long run 
and won’t have to worry as much about the 
foolhardy folks around you. 
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> Train with Microsoft and industry experts 
delivering over 250 in-depth sessions! 


> Win a cool Harley Davidson motorcycle in the expo hall; 
this will be our 13th Harley giveaway! 


> Unwind in Vegas and make new friends.... 
You know what they say about Vegas! 


> Meet and interact with authors whose books and 


articles you read in the cabana sessions in the expo hall. 


TECHNICAL TAKEAWAYS: 


> Maximize the benefits and minimize the impact of 
IPv6 on your network 


> Create a “Group Policy 2.0” management station 


> Take-away incredible, time-saving scripts and tools 
to automate Windows administration 


> Integrate Exchange Unified Messaging with Office 
Communications Server 2007 


> Use Microsoft System Center Data Protection Manager 
2007 to protect your Exchange servers and clusters 


> Find a strategy to let Exchange 2003 and 
Exchange 2007 coexist 


> Make searches more powerful and relevant 
with Microsoft Search Server 2008 


> Incorporate Workflow with SharePoint 


> Master identities in your SharePoint sites with ADFS 
and other technologies 


STEVE RILEY MARK MINASI 
Senior security Best-selling author, 
strategist in popular technology 
Microsoft's columnist, 
Trustworthy commentator 
Computing Group 
MICROSOFT 


SCOTT GUTHRIE § THOMAS RIZZO 
Corporate Vice Director in the 
President, .NET SharePoint group 


Developer MICROSOFT 
Division 


MICROSOFT 


TABLE OF CONTENTS 
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Make CONNECTIONS the CONFERENCE 
you bring your whole team to this year! 


MICROSOFT 


E CHANGE 


Groyabetere a (@y ete} 
2Q008 


@) 


UNIFIED 
COMMUNICATIONS 
ConnectiQns 
2008 
©) 


SharePoint 
(G@evawale\cni@rare 
2908 
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sTunioCS.NET 
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DOTNETNUKE 
OPENFORCE’08 
CONNECTIONS 


A sample of the technologies and products you can learn about this November in Las Vegas: 


m AJAX 

m NET Task Parallel Library 

@ Active Directory Configuration 
m@ ADFS 

m@ ADO.NET 

@ ADO.NET Data Services 

@ Analysis Server 

m ASP.NET MVC Framework 

™ Cascading Style Sheets (CSS) 
B ClickOnce 

B Continuous Replication 

@ Data Control 

@ Data Protection Manager 

@ Deploying Windows Server 2008 PKI 
@ DotNetNuke 


@ Enterprise Library Data Access 
Application Block (DAAB) 


@ Entity Data Model 
@ Entity Framework 
m Exchange Server 2007 


@ Expression Blend 

@ Group Policy 

@ Hyper-V 

@ Identity Lifecycle Manager 
wIS7 

@ InfoPath 

@ Integration Services 2008 

m |PV6 

@ JavaScript Object Notation (JSON) 
@ jQuery 

@ Language Integrated Query (LINQ) 
@ LoadGen 

m@ Membership Services 

@ Microsoft Identity Lifecycle 

@ Microsoft Synchronization Services 
@ Office Communications Server 


@ Parallel Language Integrated Query 
(PLINQ) 


@ PerformancePoint Server 
@ PowerShell 


Bring a Friend! = @ Cross over between all co-located sessions 
for FREE! 


@ Spread your team out across several sessions to 
learn more, or bring them all together so they're 


@ Property Builders 

@ Report Center 

@ Search Server 2008 

@ Service-Oriented Architecture (SOA) 

@ Silverlight 

@ SQL Server 2008 

@ SQL Server Compact Edition 

@ SQL Server Reporting Services (SSRS) 

B Storage Technologies 

@ System Center Configuration Manager 
@ UC Devices 

@ Unified Messaging 

@ Virtualization 

@ Visual Studio Team System Database Edition 
@ Windows Communication Foundation (WCF) 
m@ Windows Deployment Services 

@ Windows Presentation Foundation (WPF) 
m@ Windows Server 2008 Server Core 

@ Windows Workflow Foundation (WF) 

m@ XAML 

m@ XML 


Register individuals from one company at the same time 
and receive a group discount. 


1-3 registrants $1,495 per person 


Additional registrants after $1,295 per person 


all hearing the same thing at the same time. 
It's completely flexible! 


@ Experience Las Vegas with your friends! 


the 3rd (4th, Sth, 6th...) ($200 off each) 


Call 800-438-6720 to take advantage of group 
discount pricing. 
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PRE-CONFERENCE 


NOVEMBER 9, 2008 


PRE-CONFERENCE 2-DAY WORKSHOP + 9AM-4PM + WINDOWS TRACK 
AUTOMATING IT OPERATIONS BY USING WINDOWS 

POWERSHELL - DAY 1 (Bring Your Own Laptop) 

DON JONES 

Don Jones, the industry's most experienced Windows PowerShell instructor 
and 5-year recipient of Microsoft's MVP Award, teaches you to put Windows 
PowerShell to practical use in two full days of hands-on, practical instruction. 
You'll learn about the “PowerShell Way Of Doing Things,” including its cmdlets 
and unique pipeline, and you'll learn how to use PowerShell's simplified, 14- 
keyword scripting language to automate your organization's own business 
processes. You'll focus on real-world administrative tasks that utilize Active 
Directory, Windows Management Instrumentation, and more. This is an 
intense session, and while it requires no previous Windows PowerShell experi- 
ence, you should bring significant Windows administration experience and be 
prepared to learn fast and work hard. This workshop is exclusive to Windows 
Connections and cannot be found elsewhere. This is a two-day hands-on 
workshop. Bring your own laptop. Your laptop must have Windows PowerShell 
installed and you must have full Administrator privileges. To fully participate, 
you must also be running a virtual machine that contains a Windows 2003 or 
2008 domain controller, in a standalone test domain, and that you have both 
Windows PowerShell and the AD Management Shell cmdlets (free from 
Www.quest.com/powershell) installed inside the virtual machine. For full ses- 
sion system requirements visit http://preview.tinyurl.com/45rju3. 


PRE-CONFERENCE WORKSHOP - 9AM-4PM + EXCHANGE TRACK 

U-FIX-IT: TROUBLESHOOTING EXCHANGE SERVER 2007 

(Bring Your Own Laptop) 

PETER O'DOWD 

This intensive one-day troubleshooting workshop is essential for IT and 
Exchange administrators who want hands-on experience troubleshooting data- 
bases, message flow, and performance in a lab environment. Exchange expert 
and MVP Peter O'Dowd will walk you through the process of identifying and solv- 
ing problems using a wide-range of tools and techniques. On your laptop, you'll 
perform virtual hands-on labs developed by Wadeware® that simulate problems, 
and then walk through the process of troubleshooting and solving them. Attend 
this full-day workshop to better understand Exchange database architecture and 
gain knowledge necessary to recover and support your Exchange Server 2007 
system. NOTE: The laptop you bring MUST have at least 2GB of memory, 15GB free 
disk space, and should have an optical drive capable of reading a dual-layer DVD. 


NOVEMBER 10, 2008 


PRE-CONFERENCE 2-DAY WORKSHOP - 9AM-4PM + WINDOWS TRACK 
AUTOMATING IT OPERATIONS BY USING WINDOWS 


POWERSHELL - DAY 2 (Bring Your Own Laptop) 
DON JONES 
See abstract above. 


PRE-CONFERENCE WORKSHOP + 9AM-4PM + EXCHANGE TRACK 

WALK IN THE PARK: MICROSOFT EXCHANGE 2007 HANDS-ON LABS 
(Bring Your Own Laptop) 

PETER O'DOWD 


Come take a six-hour guided tour of Exchange Server 2007 and see for your- 
self the next evolution of the world’s most powerful messaging system. 


4 www.WinConnections.com 


Experience the new Management Console, the five new server roles, e-mail 
policy enforcement and compliance, powerful new scripting tools, new archi- 
tecture, new high availability and disaster recovery features, new mailbox 
features, and methods for migrating from earlier versions of Exchange. In 
this information-packed day with Exchange expert and MVP Peter O'Dowd, 
you'll get hands-on experience with Exchange Server 2007 using your laptop 
to walk through several labs developed by Wadeware®. NOTE: The laptop you 
bring MUST have at least 2GB of memory, 15GB free disk space, and should 
have an optical drive capable of reading a dual-layer DVD. 


PRE-CONFERENCE WORKSHOP + 9AM-12PM - WINDOWS TRACK 

GROUP POLICY FUNDAMENTALS, SECURITY, AND CONTROL 
JEREMY MOSKOWITZ 

Group Policy is the most efficient way to manage desktops in a Windows envi- 
ronment. If you are still running to machines to install and configure desk- 
tops, you are not taking full advantage of the power of Group Policy. In this 
practical workshop, Jeremy Moskowitz will help you gain control of your envi- 
ronment and get your life back. This is the perfect workshop to take before 
doing “deep dives” into the main sessions of the conference. You'll get a little 
bit of everything: deployment, configuration, control, and security! We'll warm 
up with some Group Policy basics. Then, you'll learn how to get your XP and 
Vista client machines up and running with some new set up options. After 
your machines are up and running, Jeremy will show you how to manage 
your environment with GPOs. You'll get some “solid base hits” to ensure you 
can go back to work with some good ideas you can immediately put to use. 
For instance, learn how to zap printers down to your computers, and remotely 
deploy software to your users’ desktops, and learn how to use Group Policy to 
secure collections of machines. You'll also get a sneak-peek at the Group 
Policy Preferences, the newest Microsoft technology that's 100% free-and it 
will get you out of login-script hell. We'll examine how Group Policy can do 
the heavy lifting to the jobs you want to do! This session has both XP and 
Vista content. (NOTE: Some material is repeated in Jeremy's regular sessions as reinforcement.) 


PRE-CONFERENCE WORKSHOP - IPM-4PM + WINDOWS TRACK 
VIRTUALIZATION: A REAL-WORLD JUMP START 

ALAN SUGANO 

Virtualization is one of the hot topics this year. With significant increases in 
performance of the current generation of server hardware with quad-core 
processors, high memory capacity, and Serial Attached SCSI (SAS) drives, 
much of the processing power on a server goes unused. Virtualization allows 
you to take advantage of this processing power by running several virtualized 
servers on one physical host. If you're considering virtualization and are new 
to this technology, this workshop will get you up to speed. You'll learn about 
the following topics: 


= Virtualization hardware. Server processors, memory and hard drive 
configurations. Optimization of the hardware and the virtual environ- 
ment for the best virtual guest performance. Running the x64 platform 
for virtual hosts and guests. 


= Virtualization software (Virtual Server 2005, VMware Server, ESX Server). 
= Backup strategies of virtual servers. 


= Virtualization and high availability. Learn about the high availability 
solutions from Microsoft and VMware in the virtual server environment. 


= Virtual guest limitations and how to determine if virtualization is a good 
fit for your application. 
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E AND POST-CONFERENCE 


PRE-CONFERENCE WORKSHOP + 9AM-4PM + SHAREPOINT TRACK 
SHAREPOINT SERVER 2007 DOCUMENT MANAGEMENT 
BEST PRACTICES 
BEN CURRY 
Document management is the process of applying creation, management, 
storage and other rules to how documents are created, persisted and expired 
within an organization. Document collaboration is merely the process of 
checking out, checking in, and versioning a document before it is published. 
Windows SharePoint Services gives you document collaboration where as 
SharePoint Server 2007 gives you document management. Records manage- 
ment encompasses all of that which is document management plus it applies 
to a broader set of content elements-not just documents. Any electronic 
record, such as a list item or log entry, can be managed as well in SharePoint 
Server 2007 if there is a need to do so. Managing these documents involves 
workflows, templates, expiration policies, and integration with the Microsoft 
Office suite. This workshop will cover the following: 
1. Creating and managing Web applications for document collaboration 
a. Content database planning and management 
b. Information architecture 
c. Site directory 
2. Creating and managing document libraries from an 
administrator's perspective 
3. Creating and managing large lists for performance using indexed 
columns and folders 
4. Integration with third-party products and Microsoft Outlook 2007 
5. An overview of using Workflows for business processes 
6. Leveraging content types for document management 
a. Templates 
b. Expiration 
c. Metadata collection via site columns and document information panels 
d. Workflows 
7. Replacing file shares with SharePoint (or why not to) 
8. Configuring document repositories for search and findability 
9. Managing documents from multiple locations 
10. Creating and managing a records repository 


Il. Understanding and using the Recycle Bin for item recovery 


PRE-CONFERENCE WORKSHOP » 9AM-4PM 


PLATFORM EXTENSION MODEL FOR SHAREPOINT PRODUCTS 

AND TECHNOLOGIES 

MICHAEL HERMAN 

The goal of the Platform Extension Model for SharePoint Products and 
Technologies is to help architects and project planners understand how best 
to map their solution requirements with the ITB (In The Box) features of the 
SharePoint platform to minimize the amount of custom coding and maximize 
the amount of solution development through configuration (solution compos- 
ability). The SharePoint Feature Dependency Network is also introduced. 


POST-CONFERENCE 


POST-CONFERENCE WORKSHOP » 9AM-4PM * WINDOWS TRACK 


REIMAGINING WINDOWS ADMINISTRATION: 

THE CONNECTIONS CAPSTONE 

DAN HOLME 

Find out why this workshop, revised for Windows Server 2008 and Windows 
Vista, is consistently rated as a “best of breed” session. From his work with 
dozens of Fortune-caliber enterprises, Dan Holme has amassed a wealth of 
experience and expertise-solutions which enable you to deliver real-world 
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administrative best practices within the constraints of real-world budgets and 
technologies. This workshop will enable you to design and implement 21st cen- 
tury best practices for Windows and Active Directory administration so you can 
work SMART: Secure, Managed, Automated, Reponsive and Trustworthy. 


Role-Based Management Extreme Makeover: You will discover how to implement 
role-based management, in which users are defined by their business roles 
and where resource access and configuration are instantly, accurately, and 
auditably applied. Empower your enterprise to enable a documented, 
auditable structure for resource security, asset management, and more 


Advanced Active Directory & Administrative Delegation: Rethink the way you delegate 
and manage administrative tasks by applying concepts of role-based man- 
agement and least privilege to administrators themselves. Learn what you 
can do to lock down and provision AD, client, and server administration and 
to create an effective administrative hierarchy. 


Provisioning And Proxying: You have the technology. Your business has processes. 
But too commonly they are not aligned. Learn how concepts of provisioning 
and proxying can enable you to support business processes through easy-to- 
implement solutions for scenarios including user management, new and 
replaced computers, and group membership tracking, to name a few. 


This workshop will be invaluable for companies wanting to maximize their 
investment in their Windows infrastructure, and a perfect capstone to your 
Connections experience. 


POST-CONFERENCE WORKSHOP + 9AM-4PM + EXCHANGE TRACK 

WALK IN THE PARK: OFFICE COMMUNICATIONS SERVER HANDS- 
ON LABS (Bring Your Own Laptop) 

THOMAS FOREMAN 

Come take a six-hour guided tour of Office Communications Server (OCS) 
2007 and see for yourself the latest Microsoft Unified Communications prod- 
uct. Much, much more than Instant Messaging, Office Communications Server 
provides text, web conferencing, and Voice over IP solutions that allow you to 
change the way your organization communicates. We'll install and configure 
OCS 2007, demonstrate Office Communicator 2007 and Live Meeting 2007, 
configure and integrate OCS 2007 with Exchange Server 2007 Unified 
Messaging, and configure and use Communicator Web Access. In this informa- 
tion-packed day, you'll use your laptop to walk through several hands-on labs 
developed by Wadeware® with OCS expert MVP Thomas Foreman. 


NOTE: The laptop you bring MUST have at least 2 gig of memory (4 GB recommended), 20 GB free 
disk space, an optical drive capable of reading a dual-layer DVD, and a headset with microphone. 


POST-CONFERENCE WORKSHOP - 9AM-4PM +» SHAREPOINT TRACK 


THE SHAREPOINT DEVELOPER, DESIGNER, AND POWER USER 
GAME SHOW 

DUSTIN MILLER 

During the SharePoint Developer, Designer, and Power User Game Show, you'll 
learn the right way and the wrong way to develop custom solutions, design 
master pages and themes, and customize your site with tools like SharePoint 
Designer. This post-con workshop is designed to appeal to developers, Web 
designers, and even “power users” who want to know how best to take 
advantage of SharePoint as a platform for collaboration and develop- 

ment. While there will be some focused discussions involving topics like .NET 
coding, master page and page layout design, and data view Web parts, the 
workshop will include sample code and ideas for every attendee, and is 
designed to allow everyone to take away something useful and powerful for 
their own SharePoint projects, no matter what their role. While there won't be 
lab assignments during this session, written labs will be provided to each 
attendee via an online site exclusive to this post-con workshop. Plus: It's a 
game show! Plan to have fun and maybe even win some prizes! 
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MICROSOFT EXCHANGE 
MICROSO FT DAY : 


THE FOLLOWING SESSIONS WILL ALL BE PRESENTED 
BY SPEAKERS FROM MICROSOFT. 


SCHEDULE 
at a glance 


MICROSOFT EXCHANGE SESSIONS 


WINDOWS SERVER 2008 HYPER-V AND MICROSOFT EXCHANGE SUNDAY, NOVEMBER 9, 2008 
SERVER 2007 SP1 7:30am -12:00pm § Pre-Conference Registration ONLY 
MeROsOrt 9:00am - 4:00pm Pre-conference Workshops 

MONDAY, NOVEMBER 10, 2008 


HOW MICROSOFT IT DESIGNED AND DEPLOYED THE EDGE 


TRANSPORT SERVERS TO PROTECT THE MESSAGING 7:00am - 5:00pm © Conference Registration 
ENVIRONMENT 9:00am - 4:00pm § Pre-conference Workshops 
oe 6:30pm - 8:30pm © Opening Keynote 

GOING BIG! DEPLOYING LARGE MAILBOXES WITH MICROSOFT TUESDAY NOVEMBER UU, 20085 MICROSOEN DRY 
EXCHANGE SERVER 2007 WITHOUT BREAKING THE BANK 7:00am - 5:00pm © Conference Registration 
MICROSOFT 7:00am - 8:00am Continental Breakfast 


8:00am - 9:00am © Keynote 


ADVANCED TROUBLESHOOTING STRATEGIES FOR MICROSOFT ; 
9:30am -10:30am © Conference Sessions 


EXCHANGE SERVER 2007 . 
MICROSOFT 10:45am - 11:45am = Conference Sessions 
1:45am - 1:30pm = =Lunch 
EAS AND OWA FOR MICROSOFT EXCHANGE SERVER 2007 SP1 1:30pm - 2:30pm Conference Sessions 
Cid 2:45pm - 3:45pm | Conference Sessions 
MICROSOFT EXCHANGE SERVER 2007 SP1 ARCHITECTURE AND 5:00pm - 7:00pm © Expo Hall Opens/Reception 
DESIGN IN MICROSOFT IT 
MICROSOFT 7:00am - 5:00pm © Conference Registration 


7:00am - 8:00am Continental Breakfast 


UNI FTES MEAD LS ATONSISE SSIONS 8:00am - 9:18am = Conference Sessions 


PLANNING VOICE ARCHITECTURE AND DEPLOYMENT IN 10:00am- 1:15am = Conference Sessions 
MICROSOFT OFFICE COMMUNICATIONS SERVER 2007 11:30am - 12:45pm © Conference Sessions 
MICROSOFT 12:45pm - 2:15pm Lunch 


MICROSOFT OFFICE COMMUNICATOR 2007 INTERNALS AND ey ee ee 
TROUBLESHOOTING 4:15pm - 5:30pm | Conference Sessions 


MICROSOFT THURSDAY, NOVEMBER 13, 2008 
7:00am - 8:00am Continental Breakfast 
8:00am - 9:75am © Conference Sessions 
9:30am -10:45am © Conference Sessions 
11:30am - 12:30pm © Conference Sessions 
12:30pm - 2:15pm = Lunch 
2:15pm Expo Hall Closes 
2:15pm - 3:15pm | Conference Sessions 
3:45pm - 4:30pm Closing Session 

FRIDAY, NOVEMBER 14, 2008 
9:00am - 4:00pm § Post-conference Workshops 


TUESDAY, NOVEMBER 11: 


“WOMEN IN TECHNOLOGY” 
LUNCHEON 
SEE WEB SITE FOR DETAILS. 
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EXCO01: DESIGN VALIDATION USING 
JETSTRESS AND LOADGEN 

JUERGEN HASSLAUER 

You just finished the design concept of your new 
Exchange Server 2007 environment. Are you con- 
fident that it will fulfill the requirements of your 
users? Are you sure that the latency of the stor- 
age subsystem is within the supportability bound- 
aries defined by Microsoft? How can you verify if 
your Client Access Server is able to handle the 
predicted number of concurrent connections from 
your mobile workforce using Outlook Web Access 
and Outlook Anywhere? This session discusses 
how you can use Jetstress to test the storage 
subsystem. You will learn how to use LoadGen to 
simulate users accessing the Exchange environ- 
ment with different protocols. This will enable you 
to validate your design and be confident that you 
can identify issues before you move the Exchange 
environment to production. 


EXC02: EXCHANGE SERVER 2007 
CONTINUOUS REPLICATION 

JUERGEN HASSLAUER 

Exchange Server 2007 supports continuous data 
replication and enables administrators to create a 
second copy of the data stored in the information 
store. This session discusses Local Continuous 
Replication (LCR), Cluster Continuous Replication 
(CCR), and Standby Continuous Replication (SCR). 
You will learn how you can use these built-in 
application replication methods for geographical- 
ly dispersed deployments. This session will help 
you to make an informed decision about when to 
use LCR, CCR, SCR, or a traditional storage-based 
replication solution from a third-party vendor. 


EXC03: EXCHANGE MAILBOX 

SERVER SIZING 

JUERGEN HASSLAUER 

Exchange Server 2007 is now a 64-bit application 
and it removed the scalability boundaries of its 32- 
bit predecessor. No more kernel memory limits and 
heavily reduced storage performance requirements. 
Can | now host 10,000 users with 2 GB mailboxes on 
one mailbox server? Should | give back my expen- 
sive SAN array and buy a few, cheap, large-capacity 
disks for a direct attached storage box? Continuous 
Replication looks great, should | now drop the best 
practice to run daily full backups and put all my 
faith in the database replica? This session provides 
answers to these questions that come up in 
Exchange Server 2007 migration. This session dis- 
cusses rules of thumb for sizing your Exchange 
servers and shares the findings from production 
deployments in corporate environments. 


EXC04: EXCHANGE 2007 DUAL-SITE 
DISASTER RECOVERY 

DAVE BANTHORPE 

Exchange 2007 has brought a new routing model 
to messaging deployments-one that relies on the 
Active Directory site topology. In many cases this 
may not present any issues to you, but what hap- 
pens in a disaster recovery scenario? As an 
Exchange administrator what do you need to do to 
get mail flowing again? This session looks at a typ- 
ical hub-spoke AD site design where the central 
hub services are split across two main datacenters 
for disaster recovery purposes. It looks at what 
happens to mail flow in various failure scenarios 
for both Hub and Edge Transport services and at 
what intervention is required to get mail flowing 
again. It will also take a look at what impact this 
has on public folder replication for Free/Busy and 
Offline address books for Outlook 2003 clients. 


EXC28: EXCHANGE AT HALF THE PRICE!- 
OPTIMIZING YOUR EMAIL INFRASTRUCTURE 
USING CONSOLIDATION AND 
VIRTUALIZATION 

FRANK WRUBEL 

Microsoft Exchange Server 2007 has been signifi- 
cantly enhanced to utilize x64 technology and take 
advantage of increased memory. This enables 
greater scalability, increased functionality and 
improved performance compared to previous 
releases. In order to best take advantage of this 
performance, and minimize investment that may 
be required, a new perspective on underlying infra- 
structure may be in order. Considering an alterna- 
tive to the business-as-usual approach is particu- 
larly apt at a time when new (x64) server invest- 
ment is required by most and when organizational 
communications is evolving so rapidly. 

In this session we will discuss work that has been 
done to test the limits of Exchange 2007 using vari- 
ous consolidation methodologies and virtualization 
technologies, with a particular emphasis on bottom 
line results/savings. The objective of this effort has 
been to increase the utilization of large scale enter- 
prise class email environment assets and to reduce 
the cost to organization while increasing the securi- 
ty, resilience, and responsiveness to changing end- 
user and organizational needs. 


EXC07: DATABASE PORTABILITY- 

HA WITHOUT CLUSTERS 

ROBERT DAWSON 

Do you have a need for High Availability? Is clus- 
tering not an option due to resources, training, 
or complexity? Database portability can help. In 
just a few minutes more than the time it takes to 
recover your database from backup, you can 
have your Exchange Mailboxes back online and 
fully functional. 


OFT EXCHANGE 


SESSIONS 


EXC08: MIGRATION TO EXCHANGE 2007: 
THE FRONT END 

ROBERT DAWSON 

If you have a front-end/back-end scenario and 
want to move to or coexist Exchange 2007 and 
Exchange 2003, this seminar is for you. The 
instructor will go over coexistence strategy and 
which steps to take at what time. You will also 
learn to set up your new front-end servers in a 
multiple site, single URL environment, using ISA 
to proxy and load balance your server farm. You 
can do all of this without large interruptions and 
re-education to the end-user community. 


EXCO9: USING ARCHIVING SOLUTIONS 

TO IMPROVE EXCHANGE OPERATIONAL 
EFFECTIVENESS 

KIERAN MCCORRY 

Using an archiving product can reap significant 
benefits for the operational effectiveness of your 
e-mail system. This case-study based session will 
describe possible architectural solutions and 
benefits from implementing such solutions 
alongside your Exchange environment. 


EXC10: EXCHANGE 2007 AND WINDOWS 
2008: BACKUPS THE EASY WAY 
MICHAEL B. SMITH 

Server 2008 removed the venerable ntbackup and 
replaced it with Windows Server Backup; which 
lacks the capability of generating backups and 
restores for Exchange. Until now, you've only had 
the option of acquiring a third-party backup solu- 
tion. I'll show you how to do your backups with 
VSS and restore them. With just a little PowerShell 
scripting and help from the Windows Server SDK, 
you can replace all the functionality of ntbackup. 


EXC11: SMALL-AND-MEDIUM ORGANIZATION 
EXCHANGE SERVER OPERATIONS 
MICHAEL B. SMITH 

Once you've configured Exchange Server, it just 
sits there and hums along. But you, the Exchange 
administrator, need to be taking proactive interest 
in monitoring your Exchange server. This session 
discusses the “must do” monitoring and how to do 
this inexpensively. This will include a PowerShell 
script that can get this information for you. 


EXC12: QUICKTEST: BUILDING AN 
EXCHANGE TEST ENVIRONMENT IN A HURRY 
MICHAEL B. SMITH 

This session discusses building an Exchange Server 
(and client!) test environment based on virtualiza- 
tion. This session will use Virtual PC 2007, but the 
concepts are applicable to Hyper-V and VMware. 


SESSIONS AND SPEAKERS ARE SUBJECT TO CHANGE. SEE WEB SITE FOR UPDATES AND ADDITIONAL SESSIONS. 
REGISTER TODAY ® 800-505-1201 = 203-268-3204 
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MICROSOFT EXCHANGE 


SESSIONS 


EXC13: SCMDM AND EXCHANGE: 

IS THERE ROOM FOR BOTH? 

PATRICK SALMON 

Like Exchange, SCMDM 2008 has numerous poli- 
cies which the administrator can apply to the 
Windows Mobile device. At first glance it may 
appear that there's considerable overlap, thus 
making it hard for the decision-maker to make 
the best choice for their organization. This ses- 
sion Is aimed at the Architect, designer, and 
implementer who is looking to put the best 
solution in place for their organization and will 
highlight the differences and commonalities 
between both products. 


EXC14: FITTING SCMDM INTO YOUR 
EXCHANGE ENVIRONMENT 

PATRICK SALMON 

Exchange is the “quick hit” Line of Business (LoB) 
application for SCMDM. Most customers when dis- 
cussing provisioning, supporting, and managing 
Windows Mobile in the enterprise will look to 
Exchange as being the primary application that 
they'll want to make available to their Windows 
Mobile community. This session is aimed at 
covering the key issues when it comes to plan- 
ning, deploying, and scaling SCMDM in order 

to successfully integrate it with Exchange in 
your environment. 


EXC17: VIRTUALIZING EXCHANGE 
DEVIN GANGER 

With the release of Hyper-V for Windows Server 
2008 and System Center Virtual Machine 
Manager, Microsoft has put serious virtualization 
technology on the table. But does it make sense 
to have a virtualized Exchange deployment? 
This session will look at the various benefits, 
limitations, and challenges of deploying 
Exchange in a virtual environment. How will it 
affect licensing, storage design, backup and 
recovery, and support? 


EXC18: EXCHANGE PROTECTION USING 
DATA PROTECTION MANAGER 

DEVIN GANGER 

Backing up and restoring Exchange servers is an 
essential part of keeping your messaging infra- 
structure up and running, but it's often a source 
of pain. Why should you consider using Microsoft 
System Center Data Protection Manager 2007 to 
protect your Exchange servers and clusters? What 
configurations are supported and what limitations 
does this place on your Exchange design? This 
session covers protecting Exchange 2003 and 
2007 servers and clustered environments, includ- 
ing the new Exchange 2007 replication options. 


EXC20: TRANSPORT RULES: 

EXCHANGE 2007'S KILLER FEATURE? 
WILLIAM LEFKOVICS 

Remember back when your boss/ClO/clients want- 
ed to do something simple like add a disclaimer to 
certain messages or prepend text to the message 
subject line and your answer was... "We need a 
third-party product or an Event Sink program- 
mer?” Exchange 2007 Transport Rules for some 
represent the killer feature in the latest version of 
Exchange Server. This session walks you through 
the transport rules interface, discusses transport 
agent architecture, and creates some transport 
rules including the use of Message Classifications 
in creating Ethical Walls within the organization. 


EXC21: DEFENSE IN DEPTH WITH 
EXCHANGE EDGE SERVICES 

WILLIAM LEFKOVICS 

This session walks you through the layers of anti- 
spam protection available within Microsoft 
Exchange Server 2007 out of the box and discuss 
the importance of eliminating undesirable con- 
tent as early as possible in the SMTP conversa- 
tion. The session will cover importing settings 
from Exchange 2003 and different mechanisms 
for applying settings to multiple Edge Servers. 


EXC22: | WISH | HAD KNOWN... 
EXCHANGE 2007 UPGRADE LESSONS 
FROM THE FIELD 

JIM MCBEE 

Get practical advice and experiences to help pre- 
pare you for Exchange Server 2007. Exchange 
Server 2007 has been out now for two years but 
only now are many organizations moving forward 
with plans to upgrade. This overview session cov- 
ers many of the common problems and their solu- 
tions that early adopters have experienced when 
moving from Exchange Server 2000/2003 to 
Exchange Server 2007. Even if you are not ready to 
upgrade yet, you will take away a checklist of 
things you can do to help get you prepared. 


EXC23: YOU CAN TAKE IT WITH YOU... 
TAKING ADVANTAGE OF EXCHANGE 2007 
DATABASE PORTABILITY 

JIM MCBEE 

This intermediate level session examines the new 
Exchange Server 2007 database portability fea- 
ture that allows a database to be moved to a dif- 
ferent Exchange 2007 server. The session looks 
at copying databases to another server in the 
same organization, using Standby Continuous 
Replication, Move-Mailbox options, and moving a 
database to a new organization entirely. 


EXC24: AMAZE YOUR FRIENDS AND 
USERS WITH GLOBAL ADDRESS LIST 
TIPS AND TRICKS 

JIM MCBEE 

For most organizations with Exchange, the Global 
Address List (GAL) becomes your company’s cor- 
porate phone directory. Most Exchange adminis- 
trators don't realize that you can further cus- 
tomize the GAL and do some very simple things 
that will make this resource even more valuable 
for your users. This intermediate level session 
takes a look at some things you can do to cus- 
tomize the GAL including creating address lists, 
customizing details templates, defining 
“resource” objects, and creating a naming stan- 
dard that helps with sorting. 


EXC25: POWERSHELL 101 

PAUL ROBICHAUX 

The Exchange Management Shell (EMS) is a key part 
of the Exchange 2007 experience. What if you're not 
a scripter? Don't worry; you can still get plenty 
done with EMS after just a little learning. This ses- 
sion covers the basics of what you need to know 
about how EMS works and what you can do with it. 


EXC27: WHAT'S NEW IN EXCHANGE? 
PAUL ROBICHAUX 

This session gives an overview of the most note- 
worthy new features and enhancements for E14 
(Exchange v14) that you should know about. 


UNIFIED COMMUNICATIONS 


EXCO5: INTEGRATING EXCHANGE 
UNIFIED MESSAGING WITH OFFICE 
COMMUNICATIONS SERVER 2007 

DAVE BANTHORPE 

Office Communications Server 2007 and the 
Unified Messaging server role in Exchange 2007 
form the core components of the Microsoft Unified 
Communications story. The Exchange 2007 Unified 
Messaging role provides the ability to store voice- 
mail and fax data in the same inbox as your email. 
But how can you leverage the Unified Messaging 
role with your Office Communications Server infra- 
structure? This session looks at the integration of 
these two components and provides guidance on 
how and where they should be deployed. 


EXC06: MANAGING AND MONITORING 
MICROSOFT UNIFIED COMMUNICATIONS 
ENVIRONMENTS 

DAVE BANTHORPE 

Office Communications Server 2007 and the 
Unified Messaging server role in Exchange 2007 
form the core components of the Microsoft Unified 
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Communications story. The management and moni- 
toring of voice-related traffic presents a different 
set of challenges to the IT administrator than those 
with e-mail. E-mail delivery times are relatively 
easy to report on, but what should you look for in 
voice traffic? How is the data collected and what 
do you do with it? This session looks at the 
Microsoft tools (QMS, QoE, etc. ) available to you, 
how they integrate into the solution, and what fea- 
tures they provide. 


EXC15: SECURITY LESSONS LEARNED FOR 
OCS, EXCHANGE, AND SCMDM DEPLOYMENT 
PATRICK SALMON 

While taken from the numerous challenging cus- 
tomer scenarios encountered during the SCMDM 
2008 TAP, the lessons shared here are equally 
applicable for those deploying OCS and Exchange 
Edge servers into the perimeter network. That 
hardest part of working with any security team is 
getting a Windows Server 2003 server into this 
exposed and potentially high-risk zone. This ses- 
sion is aimed at helping you, as someone tasked 
with equal responsibility for protecting the 
enterprise, to work with security, networking, and 
firewall professionals on the basis of presenting 
them with solutions instead of challenges. 


EXC16: THE COLLABORATION BLENDER 
DEVIN GANGER 

Exchange Server, SharePoint Services, and Outlook 
all have well-defined core capabilities. However, 
they also have a lot of interaction points and over- 
lapping features. What types of content should | 
put in Exchange, what should | put in SharePoint, 
and how do you make them work together? This 
session will examine how to integrate Exchange 
and SharePoint together to provide a better user- 
facing experience in Outlook. 


EXC19: THE UC DEVICE STORY 

LEE MACKEY 

This session will cover all of the UC devices from 
Microsoft, Jabra, Polycom, LG Nortels, and others 
that are used today for OCS and Exchange. The ses- 
sion will go over the different scenarios where they 
are best deployed, as well as walking through con- 
figurations for users. It will also go through the pit- 
falls of the current Update Server from Microsoft 
and how it's deployed. Currently the Update Server 
has challenges for an Enterprise deployment and 
when considering deploying UC Devices, it’s critical 
to know the pitfalls of installing. 


EXC26: EXCHANGE ONLINE 

PAUL ROBICHAUX 

Come find out the latest information on 
Microsoft's plans for hosting Exchange and Office 
Communications Server. 


REGISTER TODAY ® 800-505-1201 © 203-268-3204 


SOFT EXCHANGE 


SESSIONS 


MyWinConnections 
magazine 


A conference is about community and we 
want to keep our community connected 
between shows. 


Our new magazine gives you a chance to: 


> Read articles from some of our 
speakers on their hottest 
sessions at the show 


> Check out the on-site 
interviews with speakers 
and attendees 


> Stay connected to the cool friends 
you met at the show 


The magazine will be published a few weeks after each conference. 
We'll send you a link when it is hot off the (virtual) presses! 


www.WinConnections.com/ITmagq 


A one-year subscription to 


Windows! Pro 


™ Three Lunches 

® Three Continental Breakfasts 
®@ Reception 

™@ Proceedings Resource CD 
™ Conference T-Shirt and Bag 
..and more 


Enter to 


The winner will — 
drive one home! 


www.WinConnections.com 9 


WINDOWS 
MICROSOFT DAY 


ae 


THE FOLLOWING SESSIONS WILL ALL BE PRESENTED BY SPEAKERS FROM MICROSOFT. 


NETWORK ACCESS PROTECTION OVERVIEW 

MICROSOFT 

Network Access Protection (NAP) is a policy enforcement platform built into 
Windows Vista and Windows Server 2008 that allows you to better protect 
your private network by enforcing compliance with computer health require- 
ments. For example, a firewall must be installed and enabled and the latest 
operating system updates must be installed. With NAP, you can create cus- 
tomized health requirement policies to validate computer health before allow- 
ing network access or communication, automatically update compliant com- 
puters to ensure ongoing compliance, and optionally confine noncompliant 
computers to a restricted network until they become compliant. 


APPLICATION VIRTUALIZATION MANAGEMENT: THE ENTERPRISE 
OF THE FUTURE USING MICROSOFT SYSTEM CENTER 
CONFIGURATION MANAGER 2007 R2 AND MICROSOFT SOFTGRID 
MICROSOFT 

The release of System Center Configuration Manager 2007 has brought strong 
improvements and new capabilities to the enterprise for software distribution. 
In addition, Microsoft Application Virtualization (Formerly SoftGrid) has trans- 
formed the way applications are managed and executed. With the release of 
System Center Configuration Manager 2007 R2, these two technologies align to 
offer a complete enterprise platform for managing both physical and virtual 
applications. In this session, we cover a technical overview of Application 
Virtualization Management within System Center Configuration Manager R2, 
and through demonstration we cover the new advanced features this capabili- 
ty brings the modern organization. 


DEPLOYING WINDOWS SERVER 2008 HYPER-V AND MICROSOFT 
SYSTEM CENTER VIRTUAL MACHINE MANAGER: BEST PRACTICES 
MICROSOFT 

This session covers the basic process of deploying Hyper-V and VMM in a prod- 
uct environment and then highlights best practices. The session covers guid- 
ance for bare metal provisioning and fine grained control of Hyper-V. From a 
virtualization management perspective, the session covers the management 
architecture and top ten things to do as part of the deployment process. 


MANAGING WINDOWS SERVER UPDATE SERVICES 3.0 SERVERS 
MICROSOFT 

This session provides tips, tricks, and best practices for managing Windows 
Server Update Services (WSUS) 3 (RTM and SP1) servers, including DB mainte- 
nance, cleanup, backup, best practices for deploying updates to desktops and 
servers, and extending the functionality of WSUS through PowerShell and SQL. 


MICROSOFT FOREFRONT EDGE SECURITY AND ACCESS PRODUCTS: 
WHAT'S NEW WITH ISA SERVER AND THE INTELLIGENT 
APPLICATION GATEWAY, AND A SNEAK PEAK AT THE FUTURE! 
MICROSOFT 

Internet Security and Acceleration (ISA) Server and the Intelligent Application 
Gateway (IAG) provide critical functionality for the management and security 
of inbound and outbound connections between your enterprise and the 
Internet. Learn about key product capabilities and deployment scenarios, and 
discover the new capabilities delivered in the ISA Server Supportability Update 
(e.g.. enhanced troubleshooting, diagnostics, and logging) and IAG Server Pack 
1(e.g., pre-authentication with ADFS, enhanced smart-card support, perform- 
ance improvements). We finish out the session with a glimpse into what lies 
ahead in the future roadmap for both products. 
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TECHNICAL INTRODUCTION TO MICROSOFT SYSTEM CENTER DATA 
PROTECTION MANAGER 2007 

MICROSOFT 

In this session, we provide an overview of System Center Data Protection 
Manager (DPM) 2007. You will learn how to use DPM to protect primary work- 
loads-Microsoft SQL Server, Microsoft Exchange, Office SharePoint Server, and 
Microsoft Virtual Server-using both near continuous protection to disk and 
long term archival to tape. 


WINDOWS SERVER 2008 HYPER-V: SECURITY 

AND BEST PRACTICES 

MICROSOFT 

This session focuses on the security best practices for server virtualization 
and what customers need to do from both a platform and management stand- 
point to tighten the security for their virtualization environment. The session 
also covers the base architecture of Hyper-V and provides guidance on key 
areas like identity management, network hardening, etc. 


WINDOWS SERVER 2008 TERMINAL SERVER SECURITY 

AND AUTHENTICATION 

MICROSOFT 

Windows Server 2008 introduces many new Terminal Services (TS) capabilities 
that can be used to provide access to applications and data from anywhere. 
This session focuses on securing that connectivity and begins with a look at 
the underlying encryption and authentication options in TS. We then investi- 
gate security best practices for TS Gateway and finally focus on integration 
with Forefront Edge products and Network Access Protection. You'll leave the 
session with a strong understanding of how to design secure anywhere access 
solutions on Windows Server 2008 Terminal Services. 


For sponsorship 
information, contact 


Rod Dunlap 
Tel: 480-917-3527 
E-mail: rod@devconnections.com 
SEE WEB SITE 


FOR MORE DETAILS 
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EVERYTHING YOU NEED TO KNOW ABOUT 
STORAGE TECHNOLOGIES BUT WERE 
AFRAID TO ASK 

ALAN SUGANO 

If your company is like most companies, you are 
probably running low on disk space as storage 
hungry applications eat up disk space like con- 
testants in a pie-eating contest. But what's the 
best solution for your company? With the advent 
of newer drive interface technologies like Serial 
Attached SCSI (SAS) and Serial ATA (SATA), there 
is a lot more to choose from when selecting a 


storage solution. This session will cover the stor- 


age basics of locally attached storage, network 
attached storage (NAS), just a bunch of disks 
(JBODs), and storage area networks (SANs), what 
they are, where they are typically used, and how 
they fit into a comprehensive storage strategy 
for your company. We'll also look at the 
enhancements to Windows Storage Server (WSS) 
that are scheduled to be released with Windows 
Server 2008. 


SQL SERVER ADMINISTRATION FOR THE 
NON-DBA 

ALAN SUGANO 

Ok, so you became the SQL Server DBA by 
default because you were already the network 
administrator. You know that administration of a 
SQL Server can be a scary and difficult task to 
undertake, especially when you're new to SQL 
Server. This session will discuss the basics of 
SQL Server Administration, including backup, 
performance tuning, moving databases, manag- 
ing stored procedures, log shipping, database 
mirroring, basic security, Windows versus SQL 
Server authentication, connecting to SQL Server 
and monitoring of log files and databases. This 
session will cover the basics of the care and 
feeding of SQL Server to ensure your SQL Server 
will be stable and reliable. 


DEPLOYMENT, GROUP POLICY, 
MANAGEMENT 


DIVE DEEP INTO THE WINDOWS 
AUTOMATED INSTALLATION TOOLKIT 1.1 
RHONDA LAYFIELD 

The WAIK has been out for a while so some of you 
may think you've heard it all-this session is for 
novices and experts alike. Truly understand how 
WIM files are created and applied, from the meta- 
data and file data to the hashes that are created 
and the compression algorithms used in the new 
ImagexX utility. Find out what's new in the 


Windows Pre-installation environment 2.1. 

And, don't miss the Windows System Image 
Manager that allows you to create custom .xml 
automated installation scripts-there is a quite a 
learning curve in getting started with this utility. 
So, let DDPS Rhonda Layfield, who is one of six 
Deployment MVPs in the country, give you the 
quick down and dirty on how to get started as 
well as address some known issues. 


ACTIVE DIRECTORY AND POWERSHELL- 
A MATCH MADE IN HEAVEN 

DARREN MAR-ELIA 

From using the ADSI “adapter” to working with AD 
directly within PowerShell, this session will focus 
on providing tips and techniques for scripting a 
variety of AD management operations using 
PowerShell. We'll show you how you can create 
and edit AD objects and attributes, perform 
searches, and perform advanced management 
tasks against AD using PowerShell. 


DIVE DEEP INTO THE MICROSOFT 
DEPLOYMENT TOOLKIT 

RHONDA LAYFIELD 

If you are new to Microsoft's deployment tools or 
an expert already, this session is for you! The 
Microsoft Deployment Toolkit (MDT, formerly 
known as the BDD) is a simplified way of using 
Microsoft's other deployment tools like ImageX, 
WinPE, and WSIM. It has some cool new features 
like: the powerful task sequencer and new tem- 
plates available that give you more control than 
ever before of your deployments, and more 
extensive support for deploying Windows Servers, 
including automated role installation using Server 
Manager in Windows Server 2008. And Vista SP1 
has some quirky deployment issues that are alle- 
viated by the MDT. Let Rhonda Layfield, who is 
one of 30 Microsoft Deployment MVPs in the 
world, walk you through the improvements and 
the pitfalls of lite touch installations and zero 
touch installations. 


THE SCARY TRUTH ABOUT GROUP POLICY 
DARREN MAR-ELIA 

This session is a highly advanced look at the 
internals of Group Policy-how it works at the low- 
est levels and how you can bend it to your will. 
This session is not for the faint of heart. We will 
look deep under the covers of Group Policy stor- 
age and Group Policy processing, and uncover 
mysteries such as why some registry policies tat- 
too and others don't, why Group Policy sometimes 
seems to work and sometimes doesn't, and other 
important secrets that Microsoft won't tell you. 


WINDOWS 


SESSIONS 


WHAT KEEPS YOU AWAKE AT NIGHT? 

AN AD FUNDAMENTALS CHECKLIST 
SEAN DEUBY 

As an IT professional in a time of shrinking budg- 
ets, the top of your to-do list probably involves 
fighting fires and getting only the most important 
"must-do" items finished. Your AD is running, but 
you haven't had time to knock out those impor- 
tant-but-not-urgent AD configuration tasks. Do 
you have backups that really work? If they do, 
what about a tested disaster recovery plan that 
uses them? Do you have a backup copy of your 
DNS configuration? Attend this session to review 
what you've done so far, and time-efficient ways 
to make your AD implementations more secure, 
reliable, and low effort. 


WHAT'S NEW IN GROUP POLICY PART I: 
VISTA, WINDOWS SERVER 2008, THE 
GROUP POLICY PREFERENCES, AND MORE 
JEREMY MOSKOWITZ 

What's new in Group Policy? Short answer: lots. 
With Microsoft releasing Windows Server 2008, 
Windows Vista, an updated GPMC, and the Group 
Policy Preference Extensions, it's like a 
Thanksgiving dinner you get to eat every day! So 
come hear the essential “What every admin 
absolutely needs to know" about Windows Vista 
and Group Policy. Learn why you need a modern 
management station to support the new GPMC. 
Learn how to lock out hardware, zap printers, 
and keep yourself out of trouble with new 
“MLGPOs." See the 21 new “big things” Microsoft 
has gifted to every administrator. Even if you're 
not ready for Windows Vista now, that's okay, you 
positively must come to this session to learn the 
ropes from Jeremy Moskowitz, Group Policy MVP. 
(Note some material is covered in Jeremy's pre- 
conference workshop.) 


WHAT'S NEW IN GROUP POLICY PART II: 
TROUBLESHOOTING 

JEREMY MOSKOWITZ 

The beauty of Group Policy changes in Windows 
Vista is not skin deep. There are some basic and 
detailed changes lying under the hood. Jeremy 
Moskowitz, Group Policy MVP of GPanswers.com 
and author of Group Policy Fundamentals, Security, 
and Troubleshooting is just the guy to bring it to 
you. In this session, you'll learn why you can't 
just run gpresule.exe anymore and get the 
results you want. You'll discover what happens 
if you reconnect to a network after a long 
absence. You'll learn how to crack open the new 
Vista event log and trace Group Policy flow to 
figure out what might be going on. You'll learn 
how to troubleshoot the new Group Policy 
Preference Extensions. You'll learn how other 
areas, like Offline Files and Group Policy 
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WINDOWS 
SESSIONS 


Software Installation can be tweaked to give 
you just the information you need to fix what 
ails you. If you're looking for Group Policy 
answers to your troubleshooting questions, this 
is the session for you. 


WINDOWS DEPLOYMENT SERVICES IN 
SERVER 2008-WOW 

RHONDA LAYFIELD 

You may already know WDS replaces the Remote 
Installation Service (RIS), but what you might not 
know is that WDS in Server 2008 is a very useful 
(and free) deployment tool that's well worth tak- 
ing the time to understand. WDS lets you create 
and store a library of XP, Vista, and Server 
2003/2008 file-based images. The images are 
delivered to your bare-metal machines using a 
new Multicasting protocol-no floppies required. 
The new WDS management tools allow adminis- 
trators to monitor real-time progress of clients 
along with full logging and reporting. No more 
guessing as to which clients received the image 
and which did not and why. Join Rhonda Layfield, 
one of the very few holders of the Desktop 
Deployment Product Specialist Certification and 
one of six Microsoft Deployment MVPs in the U.S., 
who has been using and writing about WDS since 
it shipped in the Windows Automated Installation 
Toolkit in November of 2006. Get the details on 
the new Multicasting protocol along with a look at 
the new TFTP performance enhancements and 
Extensible Firmware Interface (EFI) network boot 
support for x64 systems. Don't miss this session 
with the “Deployment Diva” if you ever plan to 
deploy images in your environment! 


POWERSHELL 


LEARNING TO LOVE POWERSHELL 
DARREN MAR-ELIA 

This session will provide an introductory look at 
this most powerful of Microsoft scripting tech- 
nologies. In this session, you'll learn the differ- 
ence between a cmdlet, a function, and a script 
and how you can create and use each. Most 
importantly, you'll learn what the pipeline is all 
about and how you can leverage it to automate 
any number of administrative tasks. We'll also 
take a spin around learning how to navigate the 
file system and registry using PowerShell’s very 
powerful “PSDrive” capabilities. Finally, we'll look 
at some more interesting features, like getting 
access to WMI using PowerShell, to show how you 
can get at a whole world of systems manage- 
ment capabilities. 
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SECURITY 


DEEP DIVE INTO DEPLOYING WINDOWS 
SERVER 2008 PKI (TWO-PART SESSION) 
BRIAN KOMAR 

A public key infrastructure (PKI) is a fundamental 
component of an enterprise security strategy. A 
PKI supports and affects logon authentication, 
encryption, application security, and more. In this 
two-part session, exclusive to Windows 
Connections, PKI guru Brian Komar will highlight 
the changes introduced in Windows Server 2008 
that will assist your PKI deployment. The session 
will include integrating Windows 2008 CAs into an 
existing Windows 2003 PKI, upgrading existing 
CAs, and how to implement CA clustering. 


NOTES FROM THE FIELD: DEPLOYING 
MICROSOFT IDENTITY LIFECYCLE 
MANAGER 2007 CERTIFICATE 
MANAGEMENT 

BRIAN KOMAR 

Many organizations are considering deploying 
Identity Lifecycle Manager 2007 Certificate 
Management (aka CLM) to manage their smart 
card deployment. This session brings information 
from MCS engagements where CLM and smart 
cards were deployed. The session highlights what 
lessons were learned by MCS and the customers 
during these deployments including methods of 
increasing security, performance, and meeting 
customer security policies. 


REIMAGINING SECURITY AND 
MANAGEABILITY: WINDOWS SERVER 
2008 FILE SERVER ROLE 

DAN HOLME 

Windows Server 2008 improves on the solid per- 
formance and functionality of previous versions 
of Windows file services. Features such as file 
screens, quotas, DFS Namespaces, access-based 
enumeration, and the powerful new Owner Rights 
identity are important pieces of the puzzle. But to 
implement the perfect file server, you need more. 
You need the ability to answer the questions, 
“Who has access to this file?” and “What can John 
Doe get to?" Get the free tools and scripts you 
need for a more manageable file server. 


STEP-BY-STEP: CREATING A SECURE 
DESKTOP WITH GROUP POLICY 

DARREN MAR-ELIA 

This session focuses on practical guidance for 
using the myriad of security features within 
Group Policy to create a secure desktop configu- 
ration. We will walk through how you can imple- 
ment features such as Software Restriction 


Policy, Windows Firewall, IPSec, IE security and 
related technologies and provide practical advice 
that you can implement in your environment 
right away. 


VIRTUALIZATION 


INCORPORATING VIRTUALIZATION INTO 
DISASTER RECOVERY 

ALAN SUGANO 

A comprehensive Disaster Recovery Plan is some- 
thing that every company should have and hope- 
fully will never have to use. Having a plan in place 
that provided a road map to recovery was ade- 
quate in the past, but recent emphasis has been 
placed on the speed of the recovery. Sarbanes- 
Oxley (SOX) compliance companies must disclose 
their business continuity plans and the company’s 
exposure to a prolonged outage and how it 
affects financial reporting. Virtualization can sig- 
nificantly reduce the recovery time for a major 
disaster by providing a warm or hot remote 
recovery site and accelerate workstation and 
server setup. 


MICROSOFT APPLICATION 
VIRTUALIZATION (SOFTGRID) 101 
JEREMY MOSKOWITZ 

Let me guess: your machines just “blow up” now 
and again. And | know why. It's because you have 
a zillion applications on them with a half a zillion 
conflicts and things just “deteriorate” over time. 
Wouldn't it be neat if you could just eliminate that 
problem altogether? Well, with Microsoft 
Application Virtualization, better known as 
Softgrid, you can. It works by “wrapping up” your 
existing software into “sequences,” and then put- 
ting them into a virtual sandbox. The upshot? 
Your applications aren't running “on” Windows. 
They're running within the sandbox. So, no more 
desktop deterioration. Oh, and learn how to use 
your existing management tool (like Group Policy, 
LANDesk, or SCCM 2007) to deploy Softgrid appli- 
cations to your existing desktops and servers. 
Softgrid is a big place, but come to this session to 
make sure you know the ins and outs before you 
get it in your organization! 


REAL CONTROL FOR YOUR VIRTUAL 
ENVIRONMENT: SYSTEM CENTER VIRTUAL 
MACHINE MANAGER 2008 

SEAN DEUBY 

Managing your virtual machines presents a differ- 
ent set of challenges than managing physical 
servers. Virtual systems move around on different 
physical hosts, they can be quickly provisioned or 
deprovisioned, their large disk images present 
unique management, security, and performance 
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challenges...the list goes on. Microsoft's System 
Center Virtual Machine Manager (SCVMM) 2008 is 
designed to handle all these challenges of man- 
aging virtual systems from both Microsoft and 
VMware, from workgroup-sized configurations to 
full enterprise deployments. SCVMM 2008 fully 
supports Microsoft's Hyper-V virtualization tech- 
nology, and Hyper-V functionality will be 
reviewed. Check out this session to learn how to 
quickly begin using SCVMM to manage your entire 
virtual environment. 


WINDOWS TECHNOLOGIES 


ACTIVE DIRECTORY DOMAIN SERVICES 
DRILL-DOWN 

DAN HOLME 

Windows Server 2008 enhances Active Directory 
Domain Services in many ways. Some, like read- 
only domain controllers, are highly touted and 
well documented. Some, like fine-grained pass- 
word policy and directory services auditing, are 
highly touted but less well understood. And oth- 
ers, like subtle changes to functionality of DFS 
and new attributes, aren't touted though they 
should be! Join Dan Holme, author of Microsoft's 
Active Directory exam Training Kit, for a fast- 
paced, solutions-focused look at the most impo- 
rant new features of Windows Server 2008 AD DS. 


ADMINISTRATORS’ IDOL: THE COOLEST 
SESSION EVER 

DAN HOLME 

OK, the title got your attention at least, right? So 
here's the scoop. From his work with thousands of 
IT professionals, from the ClOs of Fortune compa- 
nies to front-line support professionals at the 
Olympic games with NBC, Dan has amassed a 
wealth of tricks to boost your productivity as an 
administrator. In this fast-paced session, Dan will 
share how to build truly amazing administrative 
toolsets that extend your reach, automate tedious 
tasks, and enable your entire IT organization to 
work smarter, faster, and more securely. You'll 
learn tricks that will amaze not only your friends 
and coworkers, but yourself as well. 


GOING COLD TURKEY ON THE GUI: 
SERVER CORE STEP BY STEP 

MARK MINASI 

For years you've known it: you've just GOT to get 
more familiar with the command line. You get 
things done faster, you can create simple batch 
files for automating many tasks, and, best of all, 
when you're working from the GUI, then your 
boss starts to think: “Hey, what IS that thing 
he/she's using? We need to pay techie employ- 
ees like them more money!” Well, Windows 2008 


command-line-only Server Core has arrived, so 
here is your opportunity. Mark Minasi walks you 
through the process of building a Server Core 
server from setup to initial configuration to full- 
blown DNS, Active Directory, and more. Every 
step includes the specific commands, options, 
and working examples to ease the path from 
“GUI admin" to “command-line ninja!” 


IPV6 FOR THE RELUCTANT: WHAT TO 
KNOW BEFORE YOU TURN OFF V6 (AND 
WHY IT MIGHT GET YOU FIRED) 

MARK MINASI 

Vista has arrived. Windows Server 2008 has 
arrived. And with them they bring...IPv6. Your first 
reaction when you see an IPv6 address like 
“fe80::5efe:10.50.50.112" might be: “Hmmm... that's 
a lotta colons, and | KNOW what comes out of 
colons!" But is that the RIGHT reaction? Join vet- 
eran Windows explainer Mark Minasi in a look at 
the latest version of IPv6... and whether you'll 
want to leave it on or turn it off. In this whirlwind 
tour, Mark explains the motivation for IPvé and 
the technologies behind its implementation 
(which saves you from having to read 30 RFCs), 
and then focuses on the specifics of the Microsoft 
in-the-box IPv6 stack. In the process you may just 
decide that IPvé6 is pretty nifty, after all! 


NAME RESOLUTION 2008 STYLE—-WHAT'S 
NEW IN DNS FOR SERVER 2008? 

MARK MINASI 

Windows Server 2008 is here-and so is DNS, 2008 
style! What's the story with WINS; is it time to go? 
How does Windows 2008 DNS affect Active 
Directory? What about those new “magic” 
records, the DNAME and GLOBALNAMES feature? 
And most important, how the heck do | administer 
a DNS server running on Server Core? Find out 
with the Master of Name Resolution, Mark Minasi! 


PLANNING FOR WINDOWS SERVER 2008 
AND VISTA LICENSING 

SEAN DEUBY 

Any rollout of Windows Server 2008 or Vista 
requires planning for Volume Activation 2.0. If 
you don't, your systems will grind to a halt a 
month after you've deployed them. You have to 
make a number of design decisions for your VA 
2.0 infrastructure; this session will provide you 
with key information from practical experience to 
help you plan. 


WINDOWS 


SESSIONS 


SAY G'BYE TO FILE SHARES: 21ST 
CENTURY COLLABORATION WITH WSS 
DOCUMENT LIBRARIES 

DAN HOLME 

It's time to start moving your shared folders to 
SharePoint. Why? Because the features that we've 
all been missing-including document metadata, 
checkout, version control, and content approval- 
are now achievable using Windows SharePoint 
Services document libraries. Learn how to move 
forward into a new era of document management 
in this practical application of Windows SharePoint 
Services. Discover advanced and underdocument- 
ed solutions for providing users shortcuts to docu- 
ment libraries, serving custom templates, and 
working with document properties. 


VISTA TAKE TWO: A LOOK AT VISTA SP1... 
AND WHETHER VISTA’S NOW READY 

FOR YOU 

MARK MINASI 

Okay, all of you Vista haters-it's here! You've 
been saying “um, I'm not really sure about Vista, 
so I'm going to wait for SPI,” so let's ask: Is it 
good enough yet? Join a Windows techie, an 
unabashed and unrepentant Vista liker, in a 
steely-eyed look at Windows Vista SPI. First, learn 
the easiest ways to roll it out, and how it affects 
Windows new nifty deployment tools. Then, really 
dive down with a look at how it affects perform- 
ance and compatibility. Following that, see what 
completely new things arrive with SP1. Does SP1 
make things better? Worse? Will it actually take 
so long to download that Windows Vista SP2 will 
be out before you get it? Join Mark for this ses- 
sion and find out! 


SESSIONS AND SPEAKERS ARE SUBJECT TO CHANGE. SEE WEB SITE FOR UPDATES AND ADDITIONAL SESSIONS. 
REGISTER TODAY ® 800-505-1201 = 203-268-3204 
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SHAREPOINT 


MICROSOFT DAY 


THE FOLLOWING SESSIONS WILL ALL BE PRESENTED BY SPEAKERS FROM MICROSOFT. 


NOT JUST SPREADSHEETS: MICROSOFT OFFICE AND EXCEL AS A 
BUSINESS INTELLIGENCE DEVELOPMENT PLATFORM 


MICROSOFT 


INTRODUCTION TO SHAREPOINT DEVELOPMENT WITH MICROSOFT 


VISUAL STUDIO 2008 
MICROSOFT 


DEVELOPING YOUR FIRST OFFICE BUSINESS APPLICATION: FROM 


THE CLIENT TO SHAREPOINT AND BEYOND 
MICROSOFT 


LIGHT UP YOUR SHAREPOINT WEB SITE WITH MICROSOFT 


SILVERLIGHT AND AJAX 
MICROSOFT 


SHAREPOINT 
SESSIONS 


MICROSOFT 


MICROSOFT 


SHAREPOINT AND ECM: EMPOWERING YOUR USERS WHILE 
MAINTAINING INFORMATION GOVERNANCE AND COMPLIANCE 


MASHING-UP THE WEB: SHAREPOINT AND SHAREPOINT DESIGNER 


CUSTOMIZING AND EXTENDING SHAREPOINT SEARCH 


MICROSOFT 


SHAREPOINT: IT IS NOT JUST FOR INTRANETS-EXTENDING 
SHAREPOINT TO THE EXTRANET AND INTERNET 


MICROSOFT 


BUSINESS INTELLIGENCE 
AND SHAREPOINT 


FORMS AND WORKFLOW 
WITH SHAREPOINT 


HBI101: 10 THINGS YOU NEED TO KNOW 
ABOUT PERFORMANCEPOINT SERVER 
MAURO CARDARELLI 


HBI301; CONNECTING TO YOUR ORACLE 
DATA WITH SHAREPOINT 
MAURO CARDARELLI 


HBI302: BUILDING A SALES PIPELINE 
APPLICATION WITH REPORT CENTER 
MAURO CARDARELLI 


DEPLOYMENT, ADMINISTRATION, 
OPERATION, AND OPTIMIZATION 
OF SHAREPOINT 


HBI303: INTRODUCTION TO MOSS 
ADMINISTRATION 
MICHAEL BLUMENTHAL 


HBI304: SITE PROVISIONING SOLUTIONS 
MICHAEL BLUMENTHAL 


HFW301: CONVERT YOUR EXISTING WORD 
AND EXCEL FORMS TO INFOPATH 
ASIF REHMANI 


HFW302: DESIGN POWERFUL WORKFLOWS 
WITH SHAREPOINT DESIGNER 
ASIF REHMANI 


HFW303: SIGN YOUR INFOPATH 
ELECTRONIC FORMS USING DIGITAL 
SIGNATURES AND PUBLISH 

TO FORMS SERVER 

ASIF REHMANI 


HFW304: ADDING CODELESS WORKFLOWS 
TO INFOPATH FORM SOLUTIONS 
DAVID GERHARDT 


HFW305 DEVELOPING INFOPATH 
BROWSER FORMS FOR SHAREPOINT 
DAVID GERHARDT 


HFW306: DEVELOPING INFOPATH CLIENT- 
ONLY FORMS FOR SHAREPOINT 
DAVID GERHARDT 


MOSS SEARCH 


HSE301: CUSTOMIZING SEARCH CENTERS 
TO SUPPORT SEARCH SERVER 2008 
DANIEL WEBSTER 


HSE102: HOW MICROSOFT SEARCH SERVER 
2008 EXPANDED SEARCH IN SHAREPOINT 
SERVER 2007 

DANIEL WEBSTER 


HSE303: USING FEDERATED LOCATION 
DEFINITIONS AND LEVERAGING LIVE.COM 
WITH SEARCH 

DANIEL WEBSTER 


HSE304: MOSS SEARCH: IMPROVING 
RELEVANCE AND THE SEARCH EXPERIENCE 
USING THE API 

ERIK MAU 


HSE305: MOSS SEARCH: LEVERAGING 
YOUR INVESTMENT IN THE PLATFORM 
ERIK MAU 


HSE306: MOSS SEARCH: UNIFYING 
BUSINESS DATA AND DOCUMENTS 
ERIK MAU 


SESSIONS AND SPEAKERS ARE SUBJECT TO CHANGE. SEE WEB SITE FOR UPDATES AND ADDITIONAL SESSIONS. 
NOVEMBER 10-13, 2008 = LAS VEGAS, NV 
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SHAREPOINT ARCHITECTURE 
AND CAPACITY PLANNING 


HAR201: INFORMATION ARCHITECTURE 
FOR A MOSS INTRANET 
MICHAEL BLUMENTHAL 


HAR302: ARCHITECTING A HIGHLY 
REDUNDANT SHAREPOINT 2007 FARM 
MICHAEL NOEL 


HAR303: BUILDING THE PERFECT 
SHAREPOINT FARM: A WALKTHROUGH OF 
BEST PRACTICES FROM THE FIELD 
MICHAEL NOEL 


HAR304: VIRTUALIZING SHAREPOINT 
COMPONENTS 
MICHAEL NOEL 


SHAREPOINT CUSTOMIZATION 


HCS301: AUTOMATING COMMON 
SHAREPOINT TASKS WITH POWERSHELL 
NEIL IVERSEN 


HCS202: EFFECTIVELY USING FEATURES 


AND SOLUTIONS 
NEIL IVERSEN 


= a a aan TE 
fr =Ts saleslelehy | 


HCS403: PACKAGING YOUR ADVANCED 
SHAREPOINT CUSTOMIZATIONS 
NEIL IVERSEN 


HCS304: INTEGRATING ACCESS 
AND SHAREPOINT 
TY ANDERSON 


HCS305: OUTLOOK AND SHAREPOINT 
USING LINQ TO SQL 
TY ANDERSON 


HCS306: BUILDING CUSTOM WORKFLOWS 
WITH VSTO 
TY ANDERSON 


SHAREPOINT 


SESSIONS 


HEC303: DEVELOPING PRINTABLE 
SHAREPOINT PAGE LAYOUTS USING CSS 
PAUL STORK 


HEC204: FIVE SHAREPOINT FRIENDS IN AN 
ECM WORLD 
SAHIL MALIK 


HEC305: LARGE OBJECT STORAGE 
IN SHAREPOINT 
SAHIL MALIK 


HEC306: WHY CONTENT TYPES 
ARE YOUR FRIEND 
SAHIL MALIK 


SHAREPOINT FOR 
ENTERPRISE CONTENT 
MANAGEMENT 


HEC301: CREATING AND DEPLOYING A 
CUSTOM DOCUMENT CONVERTER FOR 
SHAREPOINT 2007 

PAUL STORK 


HEC302: DEPLOYING CONTENT AND 
INFRASTRUCTURE IN A WEB CONTENT 
MANAGEMENT ENVIRONMENT 

PAUL STORK 


SHAREPOINT SECURITY AND 
EXTRANETS 


HSC301: SHAREPOINT PERSONALITY 
DISORDER: FBA, ADFS, LIVEID, NTLM, 
KERBEROS, LDAP... EGAD... 

ROBERT GINSBURG 


HSC302: YOU WANT TO TRUST WHO? 
FEDERATED EXTRANET SCENARIOS 
AND SHAREPOINT (A CASE FOR AN 


IDENTITY FIREWALL) 
ROBERT GINSBURG 


HSC303: SHAREPOINT AND ILM-ACCOUNT 
MANAGEMENT ON STEROIDS 
ROBERT GINSBURG 


Tuesday, November 11, 2008 11:45 AM Lunch ° Sign up at Conference Registration Desk 


REGISTER TODAY ® 800-505-1201 © 203-268-3204 
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OCTOBER 6-8, 2008 
SAN FRANCISCO MARRIOTT 
SAN FRANCISCO, CA 


BRING YOUR TEAM 
TO IT CONNECTIONS 
IN SAN FRANCISCO 


Strategic and technical expertise 
to guide your technology decisions 
and implementations 


Imagine the opportunity for your IT 
leadership—executives and management-— 

to develop strategic visions for your 
enterprise technology with the guidance of 
industry leaders...and for IT professionals to 
master the details of implementing those 
technologies through in-depth workshops led 
by renowned experts, then to come together, 
as a team, joined by IT professionals and 
leadership from other business, academic, 
and governmental organizations... To learn... 
to discuss... to question... to solve... and 


to share. 


DEVELOPED BY MICROSOFT, TECHNET, PENTON MEDIA, AND HP 


Early Bird 


Registration Bonus: 
receive a FREE NIGHT 
at the San Francisco 
Marriott if you register 
by August 11 2008 
(based on a 3-night 
minimum stay) 


This unique 3-day conference will feature 
strategic sessions to help your enterprise align 
important new technologies to support your 


near and long term requirements, including: 
w Virtualization 

m Cloud Computing 

m Automation and Consolidation 

m Green Computing 

@ Unified Communications 

m Systems Management 

m Security 


And incredible technical workshops led 

by independent, nationally-recognized gurus 
featuring: 

m Windows Server 2008 and Windows Vista 

= Active Directory, Group Policy, and PowerShell 

m Exchange and Office Communications Server 

@ SharePoint 

m System Center 

m@ Hyper-V and VMware 

m SQL Server 2008 


THIS EVENT IS FOR: 
CIOS / CTOS * TECHNICAL DECISION MAKERS ¢ BUSINESS DECISION MAKERS IT MANAGERS ¢ AND IT PROFESSIONALS 


Bring Your IT Team! 
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SPEAKERS 


A UNIQUE OPPORTUNITY TO GET YOUR TECHNOLOGY 
AND TRAINING FROM MICROSOFT AND INDUSTRY EXPERTS! 


TY ANDERSON 
COGENT 
COMPANY, LLC 


THOMAS 
FOREMAN 


= 


DAN HOLME 
INTELLIEM, INC. 


SAHIL MALIK 
WINSMARTS 


Ld 
oa 


JEREMY 
MOSKOWITZ 
MOSKOWITZ, INC. 


PATRICK SALMON 
ENTERPRISE MOBILE 


DEVIN L. GANGER 


3 SHARP, LLC 


DARREN 
MAR-ELIA 
DESKTOPSTANDARD 


MICAHEL NOEL 


CONVERGENT 
COMPUTING 


| = 
. => 

, 

oe eae 
PAUL STORK 
MINDSHARP 


ut 
k, 


MICHAEL BLUMENTHAL 
MAGENIC TECHNOLOGIES 


DAVID 
GERHARDT 
3 SHARP, LLC 


DON JONES 
CONSULTANT/AUTHOR 


= =) 
&: 


eee 
ERIK MAU 
INETIUM 


PETER O'DOWD 
BLADE/WADEWARE 


*e i 
ALAN SUGANO 
ADS CONSULTING 

GROUP 


MAURO 
CARDARELLI 
JORNATA 


ROBERT 
GINSBURG 
VERSION 3, INC. 


. + 
BRIAN KOMAR 
IDENTIT, INC. 


JIM MCBEE 
ITHICOS SOLUTIONS 


ASIF REHMANI 


SHAREPOINT 
SOLUTIONS 


KIMBERLY L. TRIPP 
SOLSKILLS.COM 


Fa | ‘ 

' i 
mM. 
ROBERT DAWSON 
HP 


SCOTT GUTHRIE 
MICROSOFT 


RHONDA LAYFIELD 
CONSULTANT/TRAINER 


KIERAN MCCORRY 
HP 


iy 
«| 


y q 


STEVE RILEY 
MICROSOFT 


= 

x / 

DANIEL WEBSTER 
MINDSHARP 


. AND MANY MORE EXCITING SPEAKERS! 


= Py 
SEAN DEUBY 
ADVAIYA INC. 


JUERGEN 
HASSLAUER 
HP 


WILLIAM 
LEFKOVICS 


eh 


-" 
| 


e | 


i : 


MARK MINASI 
MINASI R&D 


: 


PAUL ROBICHAUX 
3 SHARP, LLC 


SESSIONS AND SPEAKERS ARE SUBJECT TO CHANGE. SEE WEB SITE FOR UPDATES AND ADDITIONAL SESSIONS. 


REGISTER TODAY ® 800-505-1201 
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LAS VEGAS 


NEVADA 
NOVEMBER 10-13, 2008 


HOTEL ACCOMMODATIONS 
Mandalay Bay Resort and Casino, 3950 Las Vegas Blvd. South, 


Las Vegas, Nevada, 89119 is the conference site and host hotel. 
SPACE IS LIMITED so reserve your room early by calling the 
conference hotline at 800-505-1201 or 203-268-3204. 


* NOTE: ROOMS AT MANDALAY BAY HAVE BEEN TOTALLY REMODELED, VERY COOL! SPACE IS LIMITED - 
LAST YEAR ROOMS SOLD OUT EARLY SO BOOK YOUR ROOM TODAY! 


AIRLINE 
Please call Pericas Travel at 203-562-6668 for airline reservations. 


CAR RENTAL 
Hertz is offering auto rental discounts to attendees. Call the 


Hertz Meeting Desk at 800-654-2240 for reservations and refer 
to code CV# 010RO036 to receive your attendee discount. 


Network with your colleagues at 


ATTIRE 
The recommended dress for the conference is casual and 


comfortable. Please bring along a sweater or jacket, as the 


There's so much to do, ballrooms can get cool with the hotel's air conditioning. 
you'll never have to leave SPONSORSHIP/EXHIBIT INFORMATION 

A For sponsorship information, contact: 
this 4-star resort! Rod Dunlap 


480-917-3527 phone 
E-mail rod@devconnections.com 


¢ j1-acre tropical | n 
Se optcas. age See Web site for more details. www.WinConnections.com 


e 
Sandy beach TAX DEDUCTION 


e 3/4 mile lazy river Your attendance to a DevConnections conference may be tax 
deductible. Visit www.irs.ustreas.gov. Look for topic 513 - 
¢ 30,000 sq.ft. luxury spa Educational Expenses. You may be able to deduct the 
and fitness center conference fee if you undertake to (1) maintain or improve skills 
required in your present job; (2) fulfill an employment condition 
¢ 16 restaurants on site, mandated by your employer to keep your salary, status, or job. 
including The House of Blues GROUP DISCOUNT 
° 135,000 sq.ft. casino Register individuals from one company at the same time and 
receive a group discount. 
. 12,000 seat sports/ 1-3 registrants $1,495 per person 
entertainment complex Additional registrants | $1,295 per person 
after the 3rd ($200 off each) 
e Shark Reef: (4th, Sth, 6th...) 


a 4 | 
Not yom typical davon Call 800-505-1201 to take advantage of group discount pricing. 


¢ Exciting shows and events 


NOTES & POLICIES: The Conference Producers reserve the right to cancel the conference by refunding the registra- 
tion fee. Producers can substitute speakers and topics and cancel sessions without notice or obligation. Updates 
will be posted on our Web site at www.WinConnections.com. Tape recording, photography is not allowed at any ses- 
sion. Conference producers will be taking candid pictures of events and reserve the right to reproduce. By attend- 
ing this conference you agree to this policy. You may transfer this registration to a colleague. Please inform us if 
you have any special needs or dietary restrictions when you register. The conference registration includes a one- 
year print subscription to Windows IT Pro. Current subscribers will have an additional one year added to their sub- 
scription. Subscriptions outside of the United States and Canada will be digital. $25 of the funds will be allocated 
toward a subscription to Windows ITPro ($49.95 value). REGISTRATION & CANCELLATION POLICY: Registrations are not 
confirmed until payment is received. Cancellations before October 6, 2008 must be received in writing and will be 
refunded minus a $100 processing fee. After October 6, 2008 cancellations and no shows are liable for full registra- 
tion, it can be transferred to the next Connections conference within 12 months or to another person. Active 
Directory, Microsoft, MSDN, Outlook, Windows NT, Windows Server, Windows Vista, and Windows are either trade- 
marks or registered trademarks of Microsoft Corporation. All other trademarks are property of their owners. 
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Coxe) | tT at coda tcl ay Wale) MM (e)'c =] a ena bc MmLeley- mmm ONLINE wwwWinConnections.com 
E-MAIL info@devconnections.com 


FULL CONFERENCE REGISTRATION INCLUDES: KEYNOTE ON NOVEMBER 10TH, 6:30PM, 201° E 
THROUGH CLOSING SESSION ON NOVEMBER 13TH, 4:30PM isis eee Oa eee 


MAIL Microsoft Exchange 


NAME PRIORITY CODE Connections 2008 
Windows Connections 2008 
COMPANY TITLE Unified Communications 
Connections 2008 
STREET ADDRESS (REQUIRED TO MAIL CONFIRMATION MATERIALS) SharePoint Connections 2008 


c/o Tech Conferences, Inc. 
CITY, STATE, POSTAL CODE COUNTRY 731 Main Street, Suite C-3 


Monroe, CT 06468 


TELEPHONE FAX E-MAIL ADDRESS (IMPORTANT) 
Q = Microsoft Exchange & Unified Communications Connections........ on or before August 25, 2008 .........eesseeee $1395.00 
..after August 25, 2008 $1495.00 
speresieteesseeaes $1395.00 
sedevneiiiiliaiiese $1495.00 
aeeseststiesstaees $1395.00 
Sivetedesasissneedsthctsasesde $1495.00 


PRE-CONFERENCE WORKSHOPS _— SUNDAY, NOVEMBER 9, 2007 LUNCH IS INCLUDED WITH FULL DAY WORKSHOPS. 
OQ 9:00AM - 4:00PM Automating IT Operations by Using Windows PowerShell (2-day workshop) (Bring Your Own Laptop) JONES ..S798 


OQ 9:00AM - 4:00PM U-Fix-It: Troubleshooting Exchange Server 2007 (Bring Your Own Laptop) O'DOWD ...........sscessecessecesseeeeseenenes $399 
QO 9:00AM - 4:00PM Database Best Practices for the Involuntary DBA TRIPP & RANDAL ........c.sscssssssssssssecesssecsesssesesecscsesesssseeesees $399 
PRE-CONFERENCE WORKSHOPS _ MONDAY, NOVEMBER 10, 2008 LUNCH IS INCLUDED WITH FULL DAY WORKSHOPS. 

OQ 9:00AM - 12:00PM Group Policy Fundamentals, Security, and Control MOSKOWITZ uo... .esssssssscsssssssssesesscscscsssesesessesesesseneeesees $199 
Q 1:00PM - 4:00PM Virtualization: A Real-World Jump Start SUGANO wo... esesesessescsesesseesessseseeteeeees S199 
OQ 9:00AM - 4:00PM Walk in the Park: Microsoft Exchange 2007 Hands-on Labs (Bring Your Own Laptop) O'DOWD .......s.sssseeeeseeeesees $399 
OQ) 9:00AM - 4:00PM SharePoint Server 2007 Document Management Best Practices CURRY ..........cccssssesesesscssesssssesescseeeeeeees $399 
OQ 9:00AM - 4:00PM Platform Extension Model for SharePoint Products and Technologies HERMAN......c.cscsssssssesssssesesesseseeeeees $399 


POST-CONFERENCE WORKSHOPS _ FRIDAY, NOVEMBER 14, 2008 LUNCH IS INCLUDED WITH FULL DAY WORKSHOPS. 
OQ 9:00AM - 4:00PM Reimagining Windows Administration: The Connections Capstone HOLME ........cccsesesessesssesececseesees 

OQ) 9:00AM - 4:00PM Walk in the Park: Office Communications Server Hands-On Labs (Bring Your Own Laptop) FOREMAN 
OQ 9:00AM - 4:00PM The SharePoint Developer, Designer, and Power User Game Show MILLER .......c.sscsesesecssesesesecscsesesseseeesees 


CONFERENCE MATERIALS 
Full conference registration includes materials for the one conference for which you register. 
You may purchase materials for the other concurrently run events. 


QO Microsoft Exchange & Unified Communications Connections RE@SOUFCE CD o....esssssesesssesscesesesesscsesesseeeesees $75 
EY “Windows: GommectiomS*RESOURCE!C DY is cesscecsossccssysteceavicsetcruetysect ducusceseciushsscctsssesaceonatstssseizercesavendespccisteevasssuststscasaetenese $75 
LY “sSharePoimt:Conmections: RESOURCE CD cescasesscucsysdiczeaecscssescssscecszucsesusnadsbesecctecechaiouietssceciiacdessavaasbesnecis snevernarsstentcteriese $75 
LX ‘Microsoft ASP.NET Connections RESOUMECE CD scccsccssccscsssvessccccadsevnsssbstiesnccsstececastetsssntscsetevsnssssbvsnsctsaseiecnateveneascestiaves $75 
Qh = Visual Studio & .NET Connections RESOUrCE CD ou... eessesscesssecsssecssscceesenssccesssesessesecsesecsesensseensceesecesseseeseeeeseeneses $75 
EY: SQL-Server GonMections: RESOUFCE: CDs iasicccscsscsysassccsctdsececiassvsncsesasiecvessevsssecedataascesvenvsacstd sasisccssssveuescesastascecebsuesuaccadtionee $75 


NA TOTAL 


*IMPORTANT: You must reference Microsoft Exchange Connections, Unified Communications Connections, Windows Connections, 
or SharePoint Connections on your check. 


OQ) CHECK (payable to Tech Conferences) All payments must be in US Currency. Checks must be drawn on a US bank. 
OQ) CREDIT CARD OQ) VISA C1) MASTERCARD C1 AMEX 
CREDIT CARD NO. EXPIRATION DATE 


Cardholder's Signature Cardholder's Name (print) 
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Windows!!P:0 TechNet — Znzsnest 


PENTON MEDIA 


WinConnections 2008 
c/o Tech Conferences, Inc. 
731 Main Street, Suite C-3 
Monroe, CT 06468 


Mailroom: If addressee is no longer here, 
please route to MIS Manager or Training Director 


FEATURE ® 


Windows 
Server Backup 


for Active Directory 


Snapshots add to flexibility 
by Guido Grillenmeier 


ILLUSTRATION BY PAUL ANDERSON / IMAGES.COM 


orrectly backing up and ensuring full recoverability of Active Direc- 
tory (AD) has always been a challenge for IT administrators. To back 
up AD, you typically back up the whole domain controller (DC); but 
although backing up a DC might be simple, understanding when to 
use which recovery option can be difficult. The good news is that 


most of what youve already learned about AD backup and recovery 
still holds true for Windows Server 2008. 

As with earlier versions of Windows, you can still back up AD by doing a 
full system backup ora system-state backup of any DC of an AD domain, and you 
still have to boot the DC in Directory Services Restore Mode (DSRM) and recover 
its system state to recover AD. You also still have to use the native Ntdsutil tool 
to perform an authoritative restore of objects should you need to recover an AD 
object that’s been deleted. Therefore, you don’t need to throw all your existing 
procedures overboard when you roll out your first Server 2008 DCs. 

However, there are changes in the tools (and potentially in the media) you 
use for DC backup and recovery. You won't find the well-known ntbackup.exe, 
the native backup tool in previous Windows versions, on Server 2008. Instead, 
you use Windows Server Backup, the new native backup solution, which is 
available as an installation option in all versions of Server 2008, including Server 
Core. 

Server 2008 also gives you some powerful new options to protect AD data 


from being accidentally deleted and new ways to recover attribute data for AD. 
Here I describe these changes, focusing on how the underlying backup mecha- 
nisms have changed with Windows Server Backup and how you can use the new snapshot capabilities in Server 
2008 for AD. The snapshot feature is worth spending some time with if you want to have faster and complete online 
recovery of objects without needing to reboot your DC. In an upcoming article, Ill discuss how to prepare for an 
efficient online recovery of deleted objects, levering tombstone reanimation and Microsoft Volume Shadow Copy 
Service (VSS) snapshots of an AD database. But first things first—let’s look at how to use Windows Server Backup 
for AD backup and recovery. 


Introducing Windows Server Backup 
Don’t think of Windows Server Backup as an update to Ntbackup, because it isn’t. In fact, Windows Server Backup 
is completely new and has little in common with Ntbackup. For starters, it has an entirely different UI, as you can 


www.windowsitpro.com We're in IT with You Windows IT Pro OCTOBER 2008 33 


@® WINDOWS SERVER BACKUP FOR AD 


20d © wets «eg er, mtemate bectus fo protect vou dee 


I 


ee ie 
biz ui 
[1h Sew varager (DeruLo4 
| + BAe 
} ot gh Peotwes : erver Backup 
| ge nrenne 
Pf Contig weer 
| CG Tee scvedie 
© @ Ware heed white 
66 Cares 
& cee le et Ge 
Daren 
» 
wy Cb Bachan Scher le 
Bacto Ome 
a 
Cardigay Petomarce Serags 
a 
. 
{Tne | + 


Camry Hp fe De Cnet eter 


Figure 1: The Windows Server Backup UI 


see in Figure 1. However, the difference 

between the old and new utilities becomes 

even more apparent once you realize that 

Windows Server Backup is designed to do 

only disk-to-disk backup and to use VSS. 

Here’s a rundown of the most important dif- 

ferences between Windows Server Backup 

and Ntbackup. 

e Windows Server Backup uses VSS to cre- 
ate block-level backups from source vol- 
umes and to allow efficient creation of 
incremental backups. The backup files 
the utility creates on the target volume 
are actually Microsoft Virtual Hard Disk 
(VHD) files—the same format used for 
Microsoft's OS virtualization solutions. 

If necessary, you can mount the virtual 
backup disks to a virtual server for direct 
access or to a physical server (using the 
Vhdmount tool that comes with Virtual 
Server 2005). However, Windows Server 
Backup’s backup function using a VHD 
file differs from a physical-to-virtual 
migration tool in that it doesn’t prepare 
the VHD to be bootable on a virtual 
machine. Physical-to-virtual migra- 
tion tools convert physical instances 

of servers to virtual machines, replac- 
ing important hardware-level drivers 
with corresponding drivers that are 
required for the server to run as a vir- 
tual machine. Windows Server Backup 
doesn’t do this conversion. 

e Windows Server Backup can back up 
and restore only NTFS volumes. (On 
IA64 systems the utility also supports the 
Extensible Firmware Interface system 
partition.) Both Master Boot Record and 
GUID Partition Table partition types are 
supported. 
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Windows Server Backup always backs 
up whole volumes—you can’t back up 
individual files or folders, although you 
can specify particular files or folders to 
restore. The exception is a system-state 
backup, which includes all necessary 
system files but doesn’t back up the 
entire volume. 

Although Server 2008 still provides the 
APIs for tape access and media chang- 
ers, Windows Server Backup can’t back 


disk—and only to basic disks, not to 
dynamic or Encrypting File System- 
encrypted disks. 

Other supported backup targets for 
Windows Server Backup are network 
shares and DVD media. However, 
because the system can’t perform a 
Volume Shadow Copy Service snapshot 
to a network share or a DVD, these 
two target types don’t let you store 
multiple backup versions on the same 
target. Additionally, a system-state 
backup can’t be performed directly to 
a network share; it needs to use a local 
volume. 

Windows Server Backup’s UI doesn’t 
support a system-state backup; however, 
all backup commands are available 
through the wbadmin.exe command- 
line tool. 

With the exception of a system-state 
backup, Windows Server Backup can’t 
store a backup on the same volume as 
the one that’s being backed up. 
Windows Server Backup is designed 

to allow very easy full-system recov- 
ery, so there’s no need to install a new 


up to a tape drive. Rather, it backs up server OS before you can recover from 


only to an internal or externally attached a backup. Windows Server Backup can 


Storing a DC System-State 
Backup on the Source 
Wel[Ulaars 


to store a backup on different media than the media that 

youre backing up, if only to avoid a single point of failure. After all, what good is a backup if 
it's destroyed together with the disk you need to recover? 

However, if your AD domain has multiple DCs that replicate with each other (as it should), 

then you have a replacement for every DC and its backup. In that event, you might decide to 


do a DC system-state backup to source media anyway. 


Although it’s technically possible for the system-state backup to be stored on the source 
volume, Server 2008 doesn't let you do so by default—you need to tweak the registry to 
enable backing up to the source. Open the registry, navigate to HKEY_LOCAL_MACHINE\SYS- 
TEM\CurrentControlSet\Services\wbengine\SystemStateBackup, and add the DWORD value 
AllowSSBToAnyVolume. Setting AllowSSBToAnyVolume to 1 enables system-state backups to 
any volume, including the source volume, such as C. Set the value back to 0 to revert to the 
default Server 2008 behavior. 

Remember that backing up to the source doesn't allow bare-metal recovery. For complete 
recovery of a broken DC, you must reinstall the OS before you can perform a system-state 
recovery. 
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quickly recover a server from 
bare metal. 


So what do the changes in 
the native backup tool mean for 
backup and recovery of Server 
2008 AD DCs? There’s no need to 
backup every DC in your forest— 


WINDOWS SERVER BACKUP FOR AD® 


\S Optimize Backup Performance xi} 


You can optimize backup and server performance by choosing one of the following 

settings. 

C Always perform full backup 
This option slows down the backup speed, but does not impact overall 
performance. 

© Always perform incremental backup 


This option increases the backup speed, but might decrease performance of the 
volume because shadow copies are left behind. Not recommended for servers 


shots are erased after 
the backup is finished. 
Keeping the snapshots 


lets the system automati- 
cally track changes on 
the source disk at run- 
time. However, tracking 
changes requires VSS to 


you can always recover a DC by with hard disk-intensive applications. copy the original block 
re-promoting it and replicating @ Custom to the shadow copy area 
the data from another DC. For This option enables you to configure each volume separately to either run full before overwriting the 
backup redundancy, however, backups or incremental backups. source block. That pro- 


you should back up at least two 


Volume 


writeable DCs per domain in 


your forest. Although backup and 
recovery of read-only domain 
controllers (RODCs) is generally 
supported, you can’t authorita- 
tively restore objects backed up 
from an RODC because RODCs 
don’t replicate changes to other 
DCs. 

Windows Server Backup 
requires you to provide a sepa- 
rate target volume for the backup data. 
This requirement might pose a challenge 
for single-volume server configurations, 
but if you have the space to partition your 
DCs, you can create a volume dedicated 
solely to backup data. If that isn’t possible, 
you can still perform a backup to a network 
share. And if your system volumes contain 
a lot of other data that you don’t care to 
back up over the network (or to a different 
drive), you can perform a system-state 
backup—even on the same volume as the 
source data—to ensure recoverability of 
the DC’s AD database. For instructions 
on how to store a system-state backup of 
a Server 2008 DC on the source volume, 
see the sidebar “Storing a DC System-State 
Backup on the Source Volume.” 

Realize that in contrast to a full sys- 
tem recovery, a system-state recovery 
doesn’t perform a block-level restore and 
thus doesn’t erase the target volume before 
the restore. A system-state recovery is file- 
based, recovering all Windows System files 
and registry settings to the state they were in 
at backup. A system-state recovery doesn’t 
restore applications that were installed on 
the server and doesn’t recover local user 
profiles. 


Backing Up a DC 


The first step toward backing up a DC is 
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Incremental Backup 


Full backup 


Figure 2: Configuring the Optimize Backup Performance option 


to install Windows Server Backup on your 
Server 2008 system. On a full server instal- 
lation, using Server Manager’s Add Features 
Wizard is the easiest approach. On a Server 
Core system, execute the command 


ocsetup WindowsServerBackup 


Before you perform any backups, you 
need to configure the Optimize Backup 
Performance settings for Windows Server 
Backup. You can find these settings in the 
Windows Server Backup menu’s task pane 
or by right-clicking the Windows Server 
Backup node under Storage in the Server 
Manager tree. By default, Windows Server 
Backup always performs a full backup, but 
as Figure 2 shows, you can configure it to 
perform incremental backups. Unfortu- 
nately, Server Core offers no command-line 
option to help you configure the settings. 
Microsoft recommends connecting to the 
Server Core box from a full server running 
Windows Server Backup and configuring 
the settings remotely. 

The Optimize Backup Performance 
settings let you specify whether Windows 
Server Backup should keep or erase the VSS 
snapshots that it automatically creates on 
the source disk during each backup cycle. 
When you choose incremental backups, you 
choose to keep the snapshots on the disk; 
when you choose full backup, the snap- 
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cedure initiates extra 


disk activity and requires 


additional space on the 
source disk. On serv- 
ers with write-intensive 
applications, keeping the 
shadow copies can slow 
disk performance. 

Which option should 
you choose for your DCs? 
Incremental backups are 
better for two reasons. 
First, DCs are much more often read from 
rather than written to, so they tend not to 
be write intensive and don’t take much of 
a performance hit from the VSS activity. 
Second, you can use the shadow copies 
for other AD recovery options. For each 
of your hard disks, you can configure the 
amount of space devoted to snapshots by 
using the Microsoft Management Console 
Disk Management snap-in or the vssadmin 
.exe command-line tool, both of which are 
installed with the OS. 

On a full-server system, you can config- 
ure a backup with a few simple choices in 
the Windows Server Backup UI. On Win- 
dows Server Backup’s Action menu, click 
Backup once to launch the Backup Once 
Wizard and let it guide you through the 
configuration process. When you reach the 
Select backup items page, make sure that 
the Enable system recovery check box is 
selected to ensure recovery of the AD data- 
base. The Enable system recovery option 
backs up all volumes that contain system- 
state data. Note that you can also schedule 
a backup; however, this option requires 
a dedicated local disk that’s used only by 
Windows Server Backup. 

The best way to deploy DCs, however, is 
ona Server Core system, as it is more secure 
by default and thus reduces the attack sur- 
face on your DCs. But of course, a Server 
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Figure 3: Viewing the backup folder and subfolders 


Core deployment means that you have to do 
most administration through the command 
line. Here’s how to perform a backup from 
the command line: 

1. To back up the full system, including 
all critical volumes (i.e., those that contain 
system data such as the AD database), 
thus allowing bare-metal recovery, run the 
command 


WBADMIN Start Backup -backupTarget:D: 
-allCritical 


replacing D: with the target drive on which 
you'll store the backup. If the target is a 
network location, enter the Universal Nam- 
ing Convention path to the share 
(e.g., \\Server2.corp.net\BackupData). 

2. To back up only the system state, use 
the command 


WBADMIN Start SystemStateBackup 
-backupTarget:C: 


Note that this command doesn’t require 
the -allCritical option; the Start System- 
StateBackup command always backs up all 
system data. 


With either command, the result is a folder 
on the target named WindowsImageBackup. 
The folder contains a subfolder with the 
server’s short name (“W2K8Full04” in Figure 
3). The actual backup data is stored in the 
server folder, primarily in a VHD file that 
contains all the blocks of data. Some XML 
files hold registry and other settings. You 
can copy the whole WindowsImageBackup 
folder to a different location (on the network 
or on disk), but you must keep the same 
folder structure to allow the recovery pro- 
cess to find the backup data. 
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Unless you're using the DC for many 
other functions (which is most likely for 
small-to-midsized businesses) and have no 
opportunity to back up the full system to a 
local drive, there isn’t much point in creating 
just a system-state backup for DCs. A full sys- 
tem backup ofa Server 2008 DC that doesn’t 
host a plethora of other services (which is 
the optimal case for writeable DCs) typically 
isn’t much larger than a system-state backup 
of the same machine. More important, with 
a full system backup you can perform incre- 
mental backups, which you can’t when using 
the system-state backup option. Incremental 
backup saves considerable time and disk 
space if you want to keep multiple backup 
versions on your target disk. Also, you can 
use full-system-backup files to perform a 
system-state recovery. 


Performing a Complete DC Recovery 
Recovering a Server 2008 DC from scratch 
with Windows Server Backup involves a 
few more steps than does performing the 
backup. But compared to the process for 
earlier Windows OSs, which used Ntbackup 
to perform full system recoveries, the new 
process is fairly simple: It doesn’t require 
you to first reinstall the OS, but simply 
applies the image of the system volume(s) 
stored in the backup’s VHD file(s). 

1. Boot the server from Server 2008 
installation media. Doing so boots the 
server into the same Windows Preinstalla- 
tion Environment session that you use to 
deploy a new Server 2008 instance. 

2. At the Install Windows screen, choose 
Repair your computer at the bottom left. 

This option starts the Windows Recovery 
Environment (Windows RE), which lets you 
perform various repair and recovery tasks on 
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the server. Windows RE tries to determine 
which OS is installed on the server and 
requires access to the local disks at this time; 
if necessary, you can load drivers from CD, 
DVD, USB, or the floppy drive. 

3. After Windows RE finds and selects 
your OS, click Windows Complete PC 
Restore to do a full system recovery. The 
Windows Server Backup restore procedure 
searches the local, USB, and DVD drives 
for the disk-based backup media to use as 
the source for the system recovery. You can 
also manually connect to a network share 
to recover the system from a backup stored 
on a remote machine. 

4. Choose the backup source you want 
to use for the actual recovery operation. 

A complete recovery wipes all data from 
the target disk and performs a block-level 
restore. If your system has multiple vol- 
umes, you can choose to recover specific 
volumes; only those you choose to recover 
will be erased during the recovery proce- 
dure. You'll be prompted to acknowledge 
the erasure of all data on the target disk 
before the recovery proceeds. 

5. After completing the restore, the sys- 
tem will automatically reboot the DC and 
bring it back online. The DC will then syn- 
chronize with AD to replicate all changes 
that were made since the backup was per- 
formed. 


Combining a full system recovery of a 
Server 2008 DC with an authoritative restore 
of objects (e.g., to recover an accidentally 
deleted object) requires special precautions. 
You need to ensure that the server boots into 
DSRM (press F8 during the boot sequence 
to choose DSRM) immediately after the 
system recovery is complete (i-e., before 
replicating with other DCs). Server 2008 
still requires DSRM to allow access to the 
AD database for performing authoritative 
restores using the Ntdsutil tool. This process 
hasn’t changed from earlier OS versions. 


Performing a System-State 
Recovery 

If you need to recover only AD, you can 
restore just the DC’s system state. How- 
ever, a system-state restore requires a fully 
operational OS. Also, because the Windows 
Server Backup UI doesn’t support a system- 
state restore, you need to use the Wbadmin 
command-line tool. A system-state recov- 
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ery of a Server 2008 DC is a bit 
tedious because you must use the 
command line, but the process | 
is similar to that of restoring the 
system state of an earlier version 
of Windows. 

1. Boot the DC into DSRM 
by pressing F8 during the boot 
sequence and use the recovery 
password to log on as Admin- 


istrator. If necessary, you can 
recover the system state to a 
brand-new, similarly configured 
Server 2008 server on which the 
Windows Server Backup feature 
is installed. 

2. Open a command prompt 
and locate available backup ver- 
sions via Wbadmin by using the command 


wbadmin get versions 
-backupTarget:drive_or_share 
machine: servername 


where drive_or_share is the path to the 
backup target and servername is the name 
of the machine being restored. The output 
will resemble that in Figure 4. 

3. From the output, identify the backup 
version to use for the system-state recov- 
ery. You can recover the system state from 
any backup that lists System State in the 
Can Recover line. Copy the version identi- 
fier (e.g., 01/27/2008-15:18) for use in the 
next step. 

4. Start a system-state recovery of the 
desired backup version using the following 
Wbadmin command: 


wbhadmin Start SystemStateRecovery 
-version:versionID 
backupTarget:drive_or_share 
machine: servername 


where versionID is the version identi- 

fier from the Get Versions output. When 
prompted, confirm the recovery. Wbadmin 
will mount the backup’s VHD file and copy 
the required files to the source drive. Be 
prepared: A system-state restore can take 
considerably longer than a full-volume 
recovery, which is block-based. 

5. After recovery, the server will want to 
reboot. If you want to perform an authori- 
tative restore of AD objects, don’t reboot 
until you’ve run Ntdsutil with the appropri- 
ate options. 

6. Reboot the system to replace all files 
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wbhadmin 1.8 - Backup command-line tool 
(©) Copyright 2004 Microsoft Corp. 


Backup time: 1/27/2008 4:18 PM 

Backup target: Fixed Disk labeled SysProg(C:) 
Version identifier: 91/27/2008-15:18 

Can Recover: Application(s), System State 


Backup time: 1/27/2008 7:43 PM 

Backup target: Fixed Disk labeled Backup1(D:) 
Version identifier: @1/27/2008-18:43 

Can Recover: Volume(s), File(s), Application(s), Bare Metal Recovery, System State 


Figure 4: Locating available backup versions with Wbadmin 


that were in use during recovery. Reboot- 
ing takes time, and the server might have to 
reboot more than once to replace specific 
files and complete the system-state recov- 
ery, but rebooting is an important part of 
the recovery process. Successful system- 
state recovery is confirmed by a command 
prompt at the first logon after rebooting. 


Forest Recovery Considerations 

With this background information, you 
should be well prepared to plan your own 
DC backup and recovery. This informa- 
tion might even affect how you plan to set 
up the volumes used on a DC for data and 
for backup, because you'll need a separate 
target volume for your backups when using 
the full-system backup method. I recom- 
mend performing a volume-based full- 
system backup over a system-state backup 
if your DC configuration allows it—a full- 
system backup is more efficient and lets 
you perform fast incremental backups. Both 
methods let you restore just the system state 
(which is required to restore the AD data- 
base on a DC). However, a volume-based 
system recovery outperforms a file-based 
system-state recovery. 

Forest recovery continues to be a special 
challenge, which I don’t have room to go 
into here. But as long as you back up your 
DCs regularly and have at least two DCs per 
domain in your forest, you’re prepared to 
perform a forest recovery as well. 

A major benefit of Server 2008 is that ide- 
ally you'll deploy writable DCs only within 
your well-connected hub sites and use 
RODGCs in all locations outside of your hub 
data centers that contain DCs. The benefits 
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C:\Users\MyAdmin>wbadmin get versions -backupTarget:e: 


of using RODCs include a smaller attack 
surface and improved security for your 
overall IT infrastructure. However, RODCs 
also provide benefits from a forest-recovery 
perspective because they don’t require the 
same attention as writeable DCs during 
recovery. RODCs can’t replicate data to the 
hub, and that makes for a much smoother 
and faster forest recovery. RODCs help you 
concentrate on your hubs and recovering 
your DCs without worrying about interfer- 
ence from remote DCs. After the hubs are 
online and working, you can tackle the 
RODCs at the remote sites. 


Taming the AD Backup Beast 
AD backup and recovery is still a complex 
process in Server 2008. You have powerful 
new options to help you with this task, but 
you need to learn how to use them correctly. 
In an upcoming article, I’ll explain how VSS 
snapshots provide a feasible way to recover 
attribute data from AD, letting you imple- 
ment a real online recovery of objects that 
you might have accidentally deleted. I'll also 
show you some new options in Server 2008 
that help prevent accidental deletion of AD 
data. 
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PROBLEM: 


You want to automate 
software updates and other 
systems management tasks in 
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SOLUTION: 


Takiecll clare mxelavi(e lcm Ve cosxojae 
System Center Essentials 2007. 


WHAT YOU NEED: 


Essentials 2007 SP1, 2GHz 
x86- or x64-processor CPU and 
1-2GB RAM, Windows Server 
2008 or Windows Server 

2003 SP1 or R2, Microsoft 
.NET Framework 2.0 or 3.0, 
Microsoft IIS 6.0 (7.0 for Server 
2008), ASP.NET 2.0 


2007 


these straightforward steps 
SOLUTION STEPS: 


1. Install Essentials 2007. 


2. Configure Essentials 2007 to 
auto-discover your IT assets. 


hen Microsoft released 
System Center Opera- 
tions Manager 2007, the 
successor to Microsoft 
Operations Manager 
(MOM) 2005, it also 
took the time to update MOM 2005 Work- 
group Edition. The rebranded version is 


3. Select the systems you 
want Essentials 2007 to 
FelUicoyaarelucer-l Waa nrelar-\e [=n 


4. Configure automatic Microsoft System Center Essentials 2007, a 


software updates using 
Microsoft Update, or 
download software updates, 
store them on a local system, 
and distribute them yourself. 


System Center version scaled for midsized 
environments (i.e., networks with up to 30 
servers and 500 desktops) that lets admin- 
istrators manage networks and software 
updates. Essentials 2007 SP1, released in 
May, includes improvements such as better 
update management; support for Windows 
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Server 2008, workgroup systems, 
and SNMP monitoring; and bet- 
ter performance and usability. 
Tllhelp you start using Essentials 
2007 by guiding you through its 
installation and initial configu- 
ration. In an upcoming article, 
lll show you how to set up and 
use key management features of 
Essentials 2007. 


Before You Start 

Before you install Essentials 
2007, make sure your environ- 
ment can support the product's 
hardware requirements and that 
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Install and Configure 


System Center 
Essentials 


Set up Essentials 2007— Microsoft's management 
solution for midsized environments—by following 


by John Howie 


you've installed the software prerequisites. 
You can find information about Essentials 
2007 hardware and software requirements 
in the Essentials 2007 readme file and on the 
Microsoft System Center Essentials System 
Requirements web page (www.microsoft 


.com/systemcenter/essentials/en/us/ 
system-requirements.aspx). Note that you 


must configure Microsoft IIS to allow ASP. 
NET 2.0; additionally, to enable email event 
notifications, you'll need an SMTP relay-and- 
mail system, such as Microsoft Exchange 
2007 or Exchange Server 2003. I also recom- 
mend that before installing Essentials 2007, 
you apply all the latest updates to the server 
you'll install it on. 

Essentials 2007 uses Microsoft SQL Server 
2005 to store configuration and operations 
data and includes a copy of Microsoft SQL 
Server 2005 Express Edition. For most 
deployments, SQL Server 2005 Express will 
be sufficient to store your environment’s sys- 
tems management information and provide 
reports. However, if you have a large network, 
you can use a SQL Server 2005 database 
server with SQL Server 2005 Reporting Ser- 
vices (SSRS) to store systems management 
data and provide reports. If you have a large 
network but no SQL Server 2005 database 
server, or ifnone of your SQL Server database 
servers has spare capacity, you can buy the 
Essentials 2007 with SQL Server Technology 
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version, which includes a copy of SQL Server 
2005 intended solely for Essentials 2007. 
(For more information about the Essentials 
2007 with SQL Server Technology version 
and other Essentials 2007 versions, see the 
Microsoft System Center Essentials Pricing 
and Licensing web page at_www.microsoft 
.com/systemcenter/essentials/en/us/ 
pricing-licensing.aspx.) 

An Essentials 2007 installation is typically 
simple and straightforward, but there are 
some known issues you should be aware of. 
To learn more about known issues and get 
other important installation information, I 
recommend that you consult the Release 
Notes and Installation Guide that come with 
Essentials 2007. If you’ve installed the soft- 
wate prerequisites but haven’t rebooted your 
server (even if a reboot isn’t required), I 
strongly recommend that you reboot it before 
proceeding. 


Install Essentials 2007 

Start the Essentials 2007 installation wizard by 
inserting the installation DVD into your DVD 
drive. Once the wizard has launched, you'll 
see three installation options: Full Setup, 
User Interface, and Agent. Select Full Setup. If 
you don’t have Microsoft Core XML Services 
(MSXML) 6.0 SP1 installed, the wizard will 
prompt you to install MSXML 6.0 SP1. Click 
OK to launch the MSXML6.0 SP1 installation 
wizard. For more information about install- 
ing MSXML 6.0 SP1, visit the Microsoft Core 
XML Services (MSXML) 6.0 Service Pack 1 


web page (www.microsoft.com/downloads/ 


details.aspx?FamilyID=d21c292c-368b-4cel- 
9dab-3e9827b70604&displaylang=en). After 


MSXML 6.0 SP1 is installed, relaunch Full 
Setup. The installation wizard will confirm 
whether your machine has the hardware 
and software prerequisites, then ask whether 
you want to store update files locally or 
obtain them from the Microsoft Update web- 
site (www.update.microsoft.com/microsoft 
update/v6/vistadefault.aspx?In=en-us). 

The decision whether to store update files 
locally or use the Microsoft Update service 
to obtain updates is important. The latter 
option requires all your managed servers 
and workstations to go to Microsoft Update 
to obtain software updates. You might choose 
this option if you don’t have server capacity 
for inhouse update management, if you have 
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two or more sites with Essentials 2007-man- 
aged systems and slow links connecting 
them, or if you’re using Essentials 2007 to 
manage the laptops of highly mobile users 
(although this scenario comes with a number 
of other problems which might make Essen- 
tials 2007 unsuitable, such as disconnected 
laptops that will erroneously report as being 
offline when they’re merely not connected to 
the enterprise network). By far, the preferred 
option is to let your Essentials 2007 server 
download updates from Microsoft Update, 
store the updates locally, and distribute them 
to your servers and workstations. Storing 
updates locally will also save bandwidth in 
your Internet connection. 

If you choose to store updates locally, you 
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of the Domain Admins group. 

The wizard will start the installation pro- 
cess, which could take a long time to finish. 
Finally, the wizard will prompt you to visit 
Microsoft Update to download the latest 
updates and Essentials 2007 components, 
such as the Microsoft Office 2003 Web Com- 
ponents. 

When the wizard finishes, you’ll see two 
options (check boxes): one to launch the 
Essentials 2007 console to complete the 
configuration process and the other to back 
up the encryption key. These options are 
selected by default. I recommend that you 
leave them selected and simply click Finish to 
launch the Encryption Key Backup or Restore 
Wizard. The encryption key protects sensi- 
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Figure 1: Setting up Essentials 2007 using the console 


must choose a folder on an NTFS volume that 
has at least 6GB of free disk space. The default 
location is C:\SCE. You must also decide 
whether to install and use SQL Server 2005 
Express or reuse an existing local or remote 
SQL Server instance. Next, the wizard requests 
credentials for the user account that will have 
administrator-level access on the Essentials 
2007 server and all servers and workstations 
that Essentials 2007 will manage. Essentials 
2007 will use these credentials to run, perform 
Active Directory (AD) lookups, and manage 
computers. The easiest way to provide these 
credentials is to create an Essentials 2007 
domain user account and make it a member 
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tive information, such as the credentials that 
Essentials 2007 uses. The wizard asks whether 
to back up or restore the encryption key, then 
prompts for the backup- or restore-folder 
location, and finally asks for a passphrase to 
encrypt or decrypt the encryption key. Store 
the key and the passphrase on a flash drive in 
asecure place, such as a fireproof safe. At this 
point, the console should be launched, and 
you're ready to configure Essentials 2007. 


Configure Essentials 2007 

If the System Center Essentials 2007 console 
doesn’t launch on its own (i.e., if you cleared 
the launch check box mentioned in the 
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Figure 2: Selecting devices for Essentials 2007 to manage 


previous section), open the console by click- 
ing Start, then select All Programs, Systems 
Center Essentials 2007, and click System 
Center Essentials 2007 Console. You'll use 
the console to configure product features, the 
computers and devices you want managed, 
and Microsoft Update settings, as Figure 1, 
page 39, shows. Click the Required: Configure 
product features link to launch the Feature 
Configuration Wizard. 

The wizard will prompt you to configure 
the proxy server, Windows Firewall, and error 
forwarding, among other options. Unless 
you have a specific reason to change the 
default settings, [recommend you leave them 
as is, except for Scheduled Discovery. By 
default, Essentials 2007 Scheduled Discovery 
is disabled. When enabled, it will daily dis- 
cover unmanaged computers (i.e., those that 
haven't had the Essentials 2007 management 
agent deployed to them) that you’ve added 
to your domain and silently deploy the man- 
agement agent to them. The agent manages 
the system it’s installed on; checks its health 
using standard parameters such as disk space, 
CPU utilization, and memory use; executes 
commands sent from the Essentials 2007 
server; and corrects any problems it finds on 
the managed system. You can always change 
the individual configuration settings later to 
reflect changes in your environment. Click OK 
to return to the Essentials 2007 console. 

Next, click the Required: Configure com- 
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puters and devices to manage link to launch 
the Computer and Device Management 
Wizard. The wizard lets you choose either 
automatic or advanced discovery. Advanced 
discovery lets you set discovery parameters 
and discovery methods, such as completely 
scanning AD, scanning only selected orga- 
nizational units (OUs), or scanning par- 
ticular system names. For example, you can 
configure Essentials 2007 to look in AD for 
computers running Windows Server 2003 
R2 and managed by a particular person 
named in the computer object. For most 
installations, however, automatic discovery 
is the best option because your Essentials 
2007 server will auto-discover and manage 
all your assets anyway. You can also config- 
ure Essentials 2007 to search for machines 
with the user-account credentials specified 
during the Essentials 2007 installation, or 
you can specify a new set of credentials for a 
user with administrator-level permissions on 
each machine you'll scan (e.g., a user who's a 
member of the Domain Admins group). 
The amount of time Essentials 2007 
spends on discovery will depend on your 
network’s size and complexity and whether 
you configured automatic or advanced dis- 
covery. You might find that some systems 
are difficult for Essentials 2007 to discover 
regardless of whether you use automatic or 
advanced discovery. For example, systems 
with firewalls typically won’t respond to 
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Essentials 2007 probes unless you configure 
the firewalls to allow Essentials 2007 access. If 
Essentials 2007 doesn’t detect systems, you'll 
have to manually add those systems, as I'll 
describe in an upcoming article. 

When the discovery process is finished, 
the Computer and Device Management Wiz- 
ard will output a list of discovered systems, 
as Figure 2 shows. Select the systems you 
want Essentials 2007 to manage. If you kept 
Scheduled Discovery disabled when you 
ran the Feature Configuration Wizard, you'll 
need to perform periodic discovery scans to 
find new, unmanaged devices. At the end of 
the wizard, click OK to return to the Essentials 
2007 console. 

To complete the Essentials 2007 con- 
figuration, click Required: Configure Microsoft 
Update settings to launch the Update Man- 
agement Configuration Wizard. Windows 
Server Update Services (WSUS) 3.0 SP1, 
which is installed during the Essentials 2007 
installation, is integrated with Essentials 2007 
and the Update Management Configuration 
Wizard. You can control WSUS settings from 
Essentials 2007. The wizard lets you configure 
proxy server settings to manually synchronize 
WSUS with Microsoft Update and select the 
products, languages, classifications, and syn- 
chronization options for your environment. 
(You can always change Microsoft Update 
settings later.) Click OK to exit the wizard and 
return to the Essentials 2007 console. 


Ready to Go 
Now that you've performed the basic Essen- 
tials 2007 installation and configuration, 
you re ready to set up additional components 
and learn to use Essentials 2007 features. In 
an upcoming article, I'll continue our Essen- 
tials 2007 tutorial by showing you how to 
install agents on systems that have firewalls 
(such as Microsoft ISA Server), how to use the 
Essentials 2007 management console, how 
to deploy and manage updates, and how to 
deploy software. 
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nterprise messaging has 
evolved from the green-screen 
experience of applications in 
the 1980s to the newest genera- 
tion of email: Messaging deliv- 
ered as a service. But because 
technology generations overlap each other, 
deciding which messaging option or com- 


bination of options to use can be more 
complicated than meets the eye. Let’s look 
at the newest generation, known as hosted email or email as a service, and the ways your existing email 
deployment could evolve, plus what you need to consider as you chart your company’s messaging plan 
for the future. 


Three Messaging Options 
Options for enterprise messaging are evolving as new computing paradigms appear. If we take a five-year 
view from today, three major options appear that are viable alternatives: 

1. Use inhouse email based on a platform such as Microsoft Exchange or IBM Lotus Notes. 

2. Use email as a service, where the email service provider delivers all the necessary compute 
power, storage, and application logic via the web (sometimes called delivery via the cloud). 

3. Use a hybrid approach by offering inhouse email for users who require a great deal of function- 
ality and hosted email service for users who need only the ability to send and receive messages. 
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Which option your organization should 
choose depends on its current infrastruc- 
ture, its appetite for risk, the number of 
users and their security requirements and 
other needs, how much the company is 
willing to invest in the provision of an email 
service to users, and whether the com- 
pany has made other investments in the 
email infrastructure that will be affected 
by a move to a new platform. For exam- 
ple, many large companies have deployed 
Research in Motion’s (RIM’s) BlackBerry 
Enterprise Server alongside Exchange or 
Lotus Notes or have built applications 
based on Exchange public folders or Lotus 
Notes mail routing. It’s hard to migrate 
to a new platform unless the new plat- 
form offers equivalent functionality. I’ll 
talk about more adoption considerations 
in a moment. First, let’s look at the newest 
option for email evolution—hosted email 
or email as a service. 


Email as a Service 
Email as a service is related to software as 
a service (SaaS), the software distribution 
model where customers access applications 
hosted by a service provider via the Internet. 
Cost is usually the major driver for using 
email as a service. A low-cost fixed-price 
offering is an attractive proposition when 
you consider the costs of servers, storage, 
networks, software licenses, and technical 
support necessary to run inhouse email. 
Microsoft’s email-as-a-service solution is 
Microsoft Exchange Online, which is based 
on Exchange 2007. Part of Microsoft Online 
Services, a set of enterprise-class software 
offerings delivered as subscription services 
and hosted by Microsoft, Exchange Online 
should arrive toward the end of 2008, and 
is available in standard and dedicated ver- 
sions. (For more information about Micro- 
soft Online Services and Exchange Online 
see www.microsoft.com/online.) The stan- 
dard version provides an infrastructure that 
hosts mailboxes from many different com- 
panies. The dedicated version is for compa- 
nies with more than 5,000 users: Microsoft 
builds out a server environment to host the 
anticipated load. Both versions are based in 
Microsoft data centers and offer 1GB mail- 
boxes, support for Windows Mobile devices, 
Outlook Web Access (OWA), antivirus and 
antispam, and 99.9 percent availability (the 
claim of 99.9 percent availability needs to be 
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tested over time). 

The dedicated version offers some 
optional services such as archiving, RIM 
Blackberry support, and data migration 
from an existing mail system. Customers 
using Active Directory (AD) can set up single 
sign-on (SSO) through a directory trust. 

Google’s offering is Google Apps, which 
includes Gmail with a 25GB mailbox, Google 
Calendar, and Google Docs (e.g., word pro- 
cessing, presentations, and spreadsheets). 
Gmail is a perfectly acceptable email system 
if you’re willing to accept a web-based or 
IMAP client (including Microsoft Office 
Outlook) and less integration between 
components than is delivered by the Out- 
look-Exchange combination. Google offers 
antispam and antivirus services via its Pos- 


A simple five-step 
approach can help 
to crystallize the 
discussion about 
email and prepare 
you to balance 
demands from 
different 
constituencies in 
your company. 


tini subsidiary and can provide enhanced 
services for archiving, security, and compli- 
ance. 

Moving to Gmail is straightforward if 
you use only basic email features such as 
Send and Receive messages. In particular, 
companies whose email strategy depends 
on POP3/IMAP4 based on a server such 
as Sun Microsystems iPlanet will find it 
easy to move to Gmail. However, compa- 
nies that currently use an inhouse email 
system will run into problems associated 
with migration, the client experience, and 
interoperability. They might also find that 
their needs for e-discovery, compliance, 
and customization cause further complica- 
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tions. For example, some industry regula- 
tions require that every outgoing message 
(including those sent by mobile device) 
is stamped with a disclaimer text—with 
Gmail, it’s a challenge; with Exchange 2007, 
it entails a relatively simple transport rule. In 
the future, Google will likely develop Gmail 
as a more fully featured email server and 
improve its support for clients such as Out- 
lookas well as invest in utilities that improve 
Gmail’s interoperability. 

Speaking of support, that’s another 
issue that Google has yet to address. Large 
companies demand 24x7 support for appli- 
cations and they want the same quality of 
support to be available in every country 
where they do business. Google has no 
background in delivering this type of sup- 
port and although it will probably develop 
support capabilities over the next few years, 
anyone considering Gmail for the enter- 
prise needs to consider this. 

Microsoft announced list prices for its 
standard service in July 2008, with Exchange 
at $10 per mailbox or $15 for Microsoft Busi- 
ness Productivity Online Standard Suite 
(Exchange, SharePoint, Office Communica- 
tions Server, and Live Meeting). The annual 
cost for Exchange Online is more expensive 
than Google’s Gmail—the premier edition 
of Google Apps costs $50 per user per year 


(www.google.com/a/help/intl/en/admins/ 


editions.html)—but it’s possibly justified 


by the higher levels of functionality avail- 
able using Exchange. Exchange Online 
doesn’t support Unified Messaging, prob- 
ably because of the difficulty of integrating 
a standard service with multiple variants 
of PBXs and telephony backbones. The list 
prices from Microsoft and Google are guide- 
lines and depend on the number of seats, 
their location worldwide, the services used, 
the length of the contract, how the service is 
supported, and the volume of business that 
a company does with the vendor over time. 

Microsoft’s email service is likely to 
change over the coming years to incorporate 
new technology and keep pace with Google. 
The company is investing heavily in deploy- 
ing the data centers to support Exchange 
as a service and in making changes in the 
Exchange code base; you can expect to see 
many of these changes in Exchange 14, due 
in 2009. 

Unlike Google, Microsoft has to perform 
a balancing act as it develops its online 
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presence. It doesn’t want to cannibalize 
its traditional market, and because not all 
of its software can yet run in the cloud, 
it doesn’t want to force customers to use 
cloud-based services because the change 
might cause customers to consider non- 
Microsoft options. If Microsoft gets it right, 
online services will add to its overall market. 
If not, it might be the start of an expensive 
dismantling of its Office franchise. 


Inhouse Email 
Because the features in Exchange and Lotus 
Notes have been assembled over the years, 
these servers can meet the needs of large 
enterprises in a way that a consumer-based 
product can’t. For example, many compa- 
nies customize the display templates used by 
Exchange to show details of objects fetched 
from AD. New fields are added, fields are 
removed, and display text altered to meet 
the exact needs of the company. A well-pop- 
ulated Global Address List (GAL) complete 
with organizational information is a very 
useful tool for anyone who has to navigate 
through the organization. You can argue that 
this level of detail can be easily traded for a 
much lower cost of operation, until you com- 
pare access to an LDAP directory through 
whatever interface you select to go alongside 
Gmail. Although the LDAP lookup works, 
it’s not as easy for users and could actually 
increase costs through lower productivity 
and additional calls to the Help desk. 
Another factor to consider is the health 
and richness of the ecosystem around suc- 
cessful products such as Exchange and Lotus 
Notes. Google is doing its best to encourage 
developers to leverage Google Apps and 
no doubt will succeed over time. Indeed, 
the fast iteration model used by Google for 
application development means that new 
solutions appear all the time. However, using 
Gmail today might mean having to search for 
new solutions to problems that have been 
solved many times over on the Exchange 
platform. Additionally, many companies 
have built a complete collaboration environ- 
ment based on Microsoft technology (e.g., 
Exchange, SharePoint, and Office Collabo- 
ration Server). It might be easy to replace 
the messaging functionality delivered by an 
inhouse email server by purchasing email 
as a service, but you need to also consider 
the overall collaboration environment of 
your users. For example, customers using 
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SharePoint Online can’t expect Microsoft to 
allow them to deploy custom web parts in 
Microsoft's shared infrastructure. 

Clients are an important factor to get 
right because user satisfaction (and the 
number of calls to the Help desk) is largely 
determined by user interaction with the 
server through the client. Gmail’s standard 
web-based UI is simple and robust, but it 
could only be loved by its developers and 


their mothers. The biggest shock for users 
new to Gmail is that Gmail’s UI is devoid 
of the traditional folders used to organize 
email. Google’s perspective is that you don’t 
need folders to organize email because you 
can search for and find any message very 
fast. Regardless, it does take time for users 
to figure out how best to use Gmail. 

Gmail supports POP3 and IMAP4 access 
so you can connect other clients including 
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Outlook 2007, Outlook 2003, and Outlook 
Express if you don’t like the web interface. 
I prefer to use the Windows Mail client 
provided with Windows Vista to connect to 
Gmail, and this solution works well, though 


It’s possible to 
reduce cost 

while preserving 
functionality by 
outsourcing email 
to a provider who 
offers full-function 
products (i.e., 
Exchange) delivered 
from the Internet at 
a predictable cost. 


an occasional glitch causes the server to 
lose client credentials. For a comprehensive 
discussion about using Microsoft clients 
with Gmail, see my recent article “Connect 
Microsoft Email Clients to Gmail,’ Instant- 
Doc ID 99782. 


A Hybrid Approach 


You might consider combining approaches 
to best meet user needs. A hybrid approach 
means deploying inhouse email for users 
who need a full feature set and deploying 
email as a service for users who need only 
the ability to send and receive messages and 
use a calendar. However, you still have as 
many factors to consider when moving to a 
hybrid approach as when you migrate from 
one email system to another: 

Interoperability. A Google Docs user 
with a Gmail account must be able to open 
and view a Microsoft Word attachment 
sent by an Exchange user, make changes to 
embedded tables while preserving the for- 
mat, and send it back to the Exchange user. 

Migration. You should be able to move 
user data from one environment to another, 
including transferring data from a legacy 
email system. 
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Portability. You should be able to trans- 
fer user mailboxes between all of the email 
systems deployed in the enterprise (includ- 
ing legacy systems) without data loss. Ide- 
ally, there should be a highly automated 
process to move mailboxes. 

Compliance. Users who must comply 
with legislative or regulatory requirements 
should be assigned to an email service that 
can support this need. Exchange of infor- 
mation between both of the email services 
must comply with these regulations. 

e-discovery. You need to capture and 
archive messages that flow between the 
email services to meet e-discovery require- 
ments. 

Security. Both of your email systems 
should support common methods to sign 
and encrypt messages. 

Directory. The email systems should 
share a common directory that people can 
use to validate email addresses, check orga- 
nizational information, and so on. Common 
distribution lists (groups) should also be 
available. 

Service management. It’s relatively easy 
to commit to a Service Level Agreement 
(SLA) for email that’s managed inhouse but 
harder when responsibility for the delivery 
and availability of the service is moved “into 
the cloud.” It’s even more complex when you 
have different service providers managing 
different email services. It’s possible that a 
company might have to upgrade its Internet 
access ifit switches network traffic from pre- 
dominantly internal access to email servers 
to exclusive access to cloud-based servers, 
or a mixture of both. 


Outsourced Hosting 

With outsourced hosting, a customer con- 
tracts with an outsourcing provider to run 
the email application in the provider’s data 
center. For example, if you elect to use 
Exchange, Outlook clients access email over 
the Internet using RPC over HTTPS (aka 
the Outlook AnyWhere feature in Exchange 
2007) and network proxies direct client traf- 
fic from the customer network across the 
Internet to the provider’s data center. The 
advantage of outsourcing is that you pur- 
chase an email service at a known cost for as 
many mailboxes as required. You don’t have 
to worry about systems administration, soft- 
ware or hardware upgrades, capacity plan- 
ning, management and monitoring, and all 
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of the other work required keeping an email 
system running smoothly. An email hosting 
solution can also support hybrid systems 
and deliver both full-function and basic 
email to different user communities within 
the same company. 

Buying email from a cloud-based ser- 
vice offers the promise of lower cost but 
the potential loss of some functionality. 
However, it’s possible to reduce cost while 
preserving functionality by outsourcing 
email to a provider who offers full-function 
products (i.e., Exchange) delivered from the 
Internet at a predictable cost. Many service 
providers offer hosted Exchange, chiefly 
for small-to-midsized businesses (SMBs), 
and they typically use the same kind of 
infrastructure that Microsoft has built for 
its email-as-a-service solution. What's dif- 
ferent is the combination of outsourcing 
the service with Internet access. Traditional 
outsourcing runs applications such as email 
as part ofa customer’s IT infrastructure or in 
the service provider's data center with dedi- 
cated network access for clients who wish 
to connect to the service. Because Exchange 
2007 is more flexible than its predecessors, 
hosting based on this platform is now the 
standard for outsourcing companies who 
use the Microsoft platform. 


What Should Your Company Do? 

The advent of email as a service is just 
another change you need to take into 
account as you consider how to deliver 
email to users in the future. A simple five- 
step approach can help to crystallize the 
discussion about email and prepare you 
to balance demands from different con- 
stituencies in your company. For example, 
users will be interested in large mailboxes 
that they see available from Google while 
the CIO will want to restrict costs of deploy- 
ment, operations, and support. 

1. Don’t panic. If your current system 
is based on outdated software that will no 
longer be supported, now is a good time 
to consider options and plan for early 
action. On the other hand, ifyou’ve recently 
upgraded to the latest software release on 
new hardware, you'll want to realize value 
from this investment and not change any- 
time soon. 

2. Know what you have today. Under- 
stand your current email infrastructure, 
from the basic hardware and software to 
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clients and add-on products. Assess the 
benefits and drawbacks of the current email 
system and compare it against the potential 
benefits of a new email system. You also 
need to understand how the email system 
is used today including aspects such as 
traffic volume, patterns (internal versus 
external, daily peaks, weekend use), user 
types (roaming, office, executive, basic), and 
numbers, as well as the dependencies that 
exist with other parts of the infrastructure 
such as the enterprise directory. 
3. Cost the change. Even an upgrade to 
a new version of your current email system 
incurs some cost. You need to understand 
how much short-term and long-term invest- 
ment is required for the move. The cost cat- 
egories that should be considered include 
e Transition—what work needs to be 
done to move from one email system to 
another? 
e Migration of user data, system data, and 
applications 
e Operations and monitoring 
e Possible need for new software and 
hardware 
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e Support (clients and server) 

e Network—your current network is 
probably designed to handle the load 
generated by clients to internal servers, 
but can it handle connectivity if you 
switch to consuming services from the 
Internet? 

e Add-on products such as antispam, 
antivirus, mobile devices, and fax con- 
nectors 


4. Involve users. If you decide that 
moving to a new service is a good idea, 
test the user experience with a variety 
of people so that they understand the 
advantages and disadvantages of moving. 
Get user input: Some esoteric scheduling 
feature that involves multiple calendars 
might be unimportant to you but critical 
to them. 

5. Have a Plan B. Before making a major 
change in your email strategy, you should 
know what to do if the change doesn’t work. 
For example, let’s assume that you plan to 
move 10 percent of the user population to 
email as a service. Have a plan in place if 


and when users complain about missing 
features, network latency, client interfaces, 
or anything else. The plan may call for you 
to back out of the new system or specify how 
to make changes (including any additional 
costs) to improve the system so that it meets 
user expectations. 


Making Your Decision 

Although SaaS makes it easy to buy and use 
a service such as email, it doesn’t make the 
decision-making process any easier. In fact, 
it can complicate matters. But equipped 
with the information you've gained, you will 
now be able to make a data-driven rather 
than emotion-driven plan for future email 


services. 
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lterating Through Collections with 


PowerShell’ 


foreach 


oops 


by Robert Sheldon 


o fully leverage the power of Windows Pow- 
erShell, you need to know how to use a 
foreach loop to iterate through collections 
such as a string array or a list of Windows 


services. PowerShell provides two types of 

foreach loops: the foreach statement and the 

ForEach-Object cmdlet. Although you can obtain the same 

results with both types of loops, they differ in several important 

respects. In this lesson, I'll explain the differences and demon- 

strate how to use the foreach statement and the ForEach-Object 

cmdlet. Note that this and subsequent lessons in the PowerShell 

201 series build on concepts explained in the PowerShell 101 series. 
(See the Learning Path for the lessons in that series.) 


; The foreach Statement 
Less on 1 In th @ The foreach statement loops through the elements in a collection. The loop runs 
one time for each element, executing a block of statements called a script block. 
Powe rS h e| | 2 0 1 To create a foreach loop, you must define the collection that you'll loop through, 
a variable to hold each element in that collection, and the script block that runs 


se ri @S eX p | ores h OW each time you step through the collection. 


Let’s take a look at an example to see how this works. The following com- 
to USE th e fo rea ch mand declares the $birds variable and initializes it with a string array, then uses 


state mM e nt a n d the variable in a foreach statement: 
Fo rEach -0 bject $birds = "owl","crow","robin", "wren", "jay" 


foreach ($bird in $birds) 


cmdlet : 
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"$bird = "+ $bird. length 


The foreach statement begins with the 
foreach keyword, followed by a set of paren- 
theses that enclose three components 
($bird in $birds). The first component is 
the element variable, which you define spe- 
cifically to use in the foreach statement. In 
this case, the element variable is $bird, but 
you can name the variable whatever you 
want, as long as you adhere to PowerShell’s 
naming conventions. The element variable 
holds the collection’s current value as the 
statement loops through the collection. For 
example, the $bird variable’s value is owl 
in the first loop, crow in the second loop, 
and so on. 

The second componentin the parenthe- 
ses is the keyword in. Use this just as is. The 
third element is the collection itself, which 
in this case is accessed through the $birds 
variable. 

Next comes a set of braces. The braces 
enclose the script block that executes 
whenever a loop runs. In this example, the 
block contains only one statement—"$bird 
=" + $bird.length—that creates a simple 
string, which is output to the con- 
sole. In this code, the $bird variable 
retrieves the collection value, and the 
Length property retrieves the number 
of characters in that value. 

The command returns the results 


owl = 3 
crow = 4 
robin = 5 
wren = 4 
jay = 3 


Although this example includes only 


Alerter: 
ALG: 
AppMgmt = 
aspnet_state: 
AudioSrvu: 

BITS: TRUE 
Browser: TRUE 
ccEvtMgr: 
ecPwudSuc: 
cisyc: 


ClipSrv: 


} 


"Total number of birds is $count." 


The first statement in the script block incre- 
ments the $count variable by 1. (The $count 
variable is defined in the first line and is 
used to track the running total of collection 
elements.) The second statement creates 
the string and outputs it to the console, as 
you saw in the last example. The third state- 
ment is a Write-Host cmdlet, which simply 
adds a blank line to the output. 

When each loop runs, all three state- 
ments in the script block run. However, the 
code after the script block runs only once, 
after the last loop has completed. This code 
uses $count within the outputted text. In 
this case, the value in $count is 5. This is the 
value assigned to that variable during the 
last loop, as shown in the results 


owl = 3 

crow = 4 
robin = 5 
wren = 4 
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jay = 3 
Total number of birds is 5. 


Although the preceding commands 
assign the collection (a string array) to 
a variable, you don’t have to take this 
approach. You can define your collection 
directly within the foreach statement, and 
you can define a collection made up of other 
object types, as in 


foreach ($svc in Get-Service) 
{ 


$svc.name +": "+ 


$svc.canstop.tostring() . toupper() 


In this code, the third component in 
the parentheses is Get-Service. This cmdlet 
returns a collection of objects, one object 
for each service on the local machine. A 
service object is assigned to the $svc variable 
each time through the loop. In the loop, the 
foreach statement uses $svc to retrieve the 
service’s name (through the service object's 
Name property) and appends a colon to 
it. Next, foreach uses $svc to access the 
service object’s CanStop prop- 
erty, which returns a Boolean 
value that specifies whether the 
service can be stopped once it 


C:\> foreach ($suc in get-service) 


< 
suvc.name + “': “ + 


suc .canstop.tostring© .toupper (> 


> 
FALSE 
FALSE 


TRUE 


FALSE 
TRUE 


TRUE 
FALSE 
FALSE 
FALSE 


one statement in the script block, (QRSIRSiStipeet sty) metyam tl | yeaa Pa 
- COMS ysApp: FALSE 
you can include as many statements CryptSuc: TRUE 
as necessary. For example, here’s DeomLaunch: FALSE 
‘ rl Dhcep: TRUE 
a script block that contains three dmadmin: FALSE 
statements: dmserver: TRUE 
Dnscache: 

$count = @ EventSystem: TRUE 
$birds = "owl","crow","robin", ~ FastUserSwitchingCompatibility: 

3 rere gusuc: FALSE 

wren , Jay helpsuyc: TRUE 

: + ‘ HidServ: FALSE 

foreach ($bird in $birds) HTTPFilter: FALSE 
{ IISADMIN: TRUE 


$count += 1 
"$bird = "+ $bird. length 
Write-Host 
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ImapiService: 
iPod Service: TRUE 
ee ny ae 


FALSE 


Figure 1: Retrieving all the services and their CanStop values 
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FALSE 


FALSE 


has started. Finally, the foreach 
statement calls the ToString and 
ToUpper methods to format that 
value. You must first convert the 
CanStop property's value to a 
string with the ToString method 
before uppercasing it with the 
ToUpper method because the 
ToUpper method is available 
only to string values. If you don’t 
want to convert the results to 
uppercase, you don’t need to 
include the ToString method or 
the ToUpper method. Figure 1 
shows the results. 

Note that when you refer- 
ence an object's methods and 
properties, their names are case 
insensitive. For example, you 
can call the ToString method by 
using letters that are all lower- 
case (as I’ve done in my exam- 
ples), all uppercase, or mixed 
case. 
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Whenever you define a collection in a 
foreach statement, you're basically imple- 
menting a pipeline. In the example just 
given, the pipeline is made up of the output 
from the Get-Service cmdlet. However, you 
can implement more complex pipelines, 
as in 


foreach ($svc in Get-Service | 
where {$_.status -eq 'running'}) 
{ 


$svc.name +": "+ 


$svc.canstop.tostring( .toupper() 


In this command, the output from Get- 
Service is piped to the Where-Object cmdlet 
(referenced by the where alias), which limits 
the values returned by Get-Service to only 
those service objects whose Status property 
value is running. As I discussed in “Power- 
Shell 101, Lesson 2” (March 2008, Instant- 
Doc ID 97959), the Where-Object cmdlet 
uses the built-in $_ variable to access the 
current value in the pipeline. Figure 2 shows 
sample results returned by this command. 

As you can probably deduce, including 
the entire pipeline within the parentheses 
could get a bit unwieldy. A better approach 
might be to assign the service objects 
to a variable, then call that variable in 
a foreach statement, as in 


PS 


$svcs = Get-Service | 
where {$_.status -eq 'running'} 
foreach ($svc in $svcs) 


that cmdlet. 

The ForEach-Object cmdlet receives 
a collection from the pipeline and loops 
through that collection just like a foreach 
statement. For example, the following com- 
mand returns the same results (shown in 
Figure 2) as those returned by the previous 
two commands: 


Get-Service | 
where {$_.status -eq 'running'} | 
foreach { 


$_.name + "2 "4 


$_.canstop.tostring() . toupper() 


This statement begins by piping Get- 
Service’s output to the Where-Object cmd- 
let. The collection returned by Where- 
Object is then piped to the ForEach-Object 
cmdlet (referenced by the foreach alias). 
Notice that the foreach alias is followed 
only by a script block—there isn’t any code 
in parentheses. The implication of this dif- 
ference between the foreach statement and 
the ForEach-Object cmdlet is that, instead 
of defining an element variable, you use the 
$_ built-in variable. Otherwise, the rest of 
the script blockis the same as the preceding 
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C:\> foreach ($suc in get-service 
i>> where <$_.status 


-eq 


Ssuc.name + ": " + 


Ssuc .canstop.tostring(>.toupper (> 


{ 
$svc.name +": "+ 
A Browser: 
$svc.canstop.tostring(Q. ccEutMgr: TRUE 
toupper() \CryptSuc: TRUE 
DeomLaunch: FALSE 
} iDhep: TRUE 


dmserver: 
Dnscache: 


As you can see, the foreach statement 
uses $svcs to call the collection. This 
command returns the same results 


/ERSuc: 
\Eventlog: FALSE 


EventSystem: 
helpsuvc: TRUE 


TRUE 
TRUE 
TRUE 


TRUE 


IISADMIN: TRUE 


as those returned by the previous 
command. 


iPod Service: TRUE 
lanmanserver: TRUE 


lanmanworkstation: TRUE 
LmHosts: TRUE 


The Foreach-Object Cmdlet 

You've seen how to use a foreach 
statement to step through a col- 
lection, but that’s not the whole 
story. PowerShell also includes the 
ForEach-Object cmdlet—and to keep 
things interesting, foreach is the name 
of the built-in alias used to reference 
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MsDtsServer: 
msftesql: TRUE 

MSSQLSSQLEXPRESS : 
MSSQLSERVER: 
MySQL: TRUE 
navapsuc: TRUE 
Netlogon: TRUE 


TRUE 


TRUE 
TRUE 


Figure 2: Retrieving only the running services 
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two examples. (Note that you must place 
the opening brace on the same line as the 
foreach alias; otherwise PowerShell treats 
the first line as a complete statement.) 

But how does PowerShell distinguish 
between the foreach keyword and the 
foreach alias? If foreach appears at the 
beginning of a statement, PowerShell inter- 
prets it as the keyword and processes the 
code that follows as a foreach statement. If 
it appears anywhere else, PowerShell inter- 
prets it as the ForEach-Object cmdlet alias. 

PowerShell supports another alias to ref- 
erence the ForEach-Object cmdlet: the per- 
cent (%) sign. For example, the statement 


Get-Service | 
where {$_.status -eq 


"running'} | 
' 
' % { 
$_.name +": "4 


$_.canstop.tostringQ. 
toupper() 
} 


returns the same results as the 
preceding example, except that it 
uses % rather than foreach. 


The Differences 
Although you can use the foreach 
statement or ForEach-Object 
cmdlet to return the same results, 
there are several differences 
between them. First, as you’ve 
already seen, the cmdlet is a 
little simpler because you don’t 
have to create a special element 
variable. Instead, you use the $_ 
built-in variable. 

Another difference is the way 
PowerShell processes the two 
statements. When PowerShell 
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C:\> get-service | 


where <$_-status -eq ’running’> | 


foreach ¢ 


$_.name e He Wy 


_.canstop.tostring(>.toupper (> 
sort —descending 


>> 
WUSBS4Gu42SUC: 
wuauseruy: TRUE 
winmgmt: TRUE 
WebClient: TRUE 
W3SUC: TRUE 
W32Time: TRUE 
TrkWks: TRUE 
Themes: TRUE 
TermService: 
TapiSru: TRUE 
stisuc: UE 
SSDPSRU: TRUE 
srservice: TRUE 
SQLWriter: TRUE 
SQLBrowser: TRUE 
Spooler: TRUE 
spkrmon: TRUE 
SMTIPSUC: TRUE 

She llHWDetect ion: 
Sharedfccess: TRUE 
SENS: TRUE 
seclogon: TRUE 
Schedule: TRUE 
SamSs: FALSE 
RpcSs: FALSE 
RemoteRegistry: TRUE 
RasMan: TRUE 
ProtectedStorage: TRUE 


TRUE 


FALSE 


TRUE 


POWERSHELL’S FOREACH 


TRUE 
NtLmSsp: 


RasMan: TRUE 
RpcSs: FALSE 
SamSs: FALSE 


SENS: TRUE 
SMTPSUC: 


SQLBrowser: 
SQLWriter: 
srservice: 
SSDPSRU: 
stisuc: 
TapiSru: 
TermService: 


Ss 


TRUE 


WUAUS Ee BY = 


Policyfgent: 
if aaa = 


RemoteRegistry: 


Schedule: TRUE 
seclogon: TRUE 


TRUE 


TRUE 
WUSB54Gu42SUC: TRUE 


LOOPS 
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PlugPlay: FALSE 
PolicyfAgent: TRUE 
ProtectedStorage: 


TRUE 
TRUE 


SharedfAccess: TRUE 
ShellHWDetect ion: 
TRUE 
spkrmon: TRUE 
Spooler: TRUE 

TRUE 
TRUE 
TRUE 
TRUE 


TRUE 


FALSE 


WebClient: TRUE 
winmgmt: TRUE 


59 services are running. 


processes a foreach statement, it generates 
the entire collection before processing indi- 
vidual values. When PowerShell processes 
a ForEachObject cmdlet, it processes each 
value as it passes through the pipeline, so 
it uses less memory at any given time. If 
memory usage is an important consider- 
ation, you'll want to use the cmdlet. 

A third difference is that you can pass the 
ForEach-Object cmdlet’s output down the 
pipeline, but you can’t do this with the foreach 
statement’s output. For example, the follow- 
ing code passes the ForEach-Object cmdlet’s 
output to the Sort-Object cmdlet: 


Get-Service | 
where {$_.status -eq 'running'} 
foreach { 
g$_.name +": "4 
$_.canstop.tostring() .toupperQ 


} | sort -descending 


The Sort-Object cmdlet (referenced by the 
sort alias) sorts the output in the pipeline in 
descending order, as Figure 3 shows. 
Another advantage of the ForEach- 
Object cmdlet over the foreach statement is 


www.windowsitpro.com 


that the cmdlet supports three types of script 
blocks, as shown in the code 


Get-Service | 
where {$_.status -eq 'running'} 
foreach { 
$count = @ } { 
$_.name + "1 "4 
$_.canstop.tostring( .toupper(Q 
$count ++ } { 
Write-Host 
“$count services are running.” 
Write-Host 


The first script block assigns 0 to the $count 
variable. This variable tracks the number of 
elements in the collection. The second script 
block retrieves the Name and CanStop prop- 
erty values for each service and increases the 
$count value by 1. The third script block prints 
a message that includes the total number of 
services, based on the last value in $count. 
When you include three script blocks 
in this way, PowerShell runs the first block 
before the first loop, runs the second block 
one time for each loop, and runs the third 
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block after the last loop. If you refer to Fig- 
ure 4, you can see how the last script block 
displays a total number of services. 


Moving Forward 

The foreach statement and ForEach-Object 
cmdlet provide powerful tools for working 
with collections. You can use either one to 
create loops that execute a set of statements 
for each element in a collection. You'll find 
that you'll use foreach loops often in your 
PowerShell scripts. And as you'll see in 
subsequent lessons, you can create far more 
complex commands than what I’ve shown 


you so far. 


InstantDoc ID 99873 


Robert Sheldon 
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(Wiley). Find out more at www 
thsheldon.com. 
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Safeguard 


Sensitive 
Information 


rganizations that lose sensitive customer data not only 

expose that data to identity thieves, fraudulent prac- 

tices, and public access, but also expose themselves to 

catastrophe. Likely penalties include losing custom- 

ers, diminished reputation and company goodwill, 

and hefty regulatory penalties and fines. Increasingly, 
organizations are turning to their IT departments to supply technical 
solutions to the data-protection problem. The good news is that if your 
organization uses Microsoft Office 2007 or Office 2003 and Windows 
Server 2008 or Windows Server 2003, you already have the technology 
you need to better secure content produced in Office applications at 
very little additional cost. 

Active Directory Rights Management Services (AD RMS, or simply 
RMS; formerly called Windows Rights Management Services) and 
Information Rights Management (IRM) enable authorized administra- 
tors and users to embed access and usage permissions and restrictions 
in Office documents. Before granting access to protected content, 
RMS and IRM validate trusted computers and users and enforce 
usage restrictions, such as limiting document printing, copying, and 
forwarding. The restrictions are bound to the content and accompany 
it wherever it goes, both inside and outside the organization. 

Before I explain how to install and configure an RMS server and 
show you how easy it is for end users to protect content and access protected content, let’s 
take a look inside RMS and IRM. 


RMS and IRM 


RMS is a web-based client/server infrastructure technology based on Windows Server and 
Active Directory (AD). It works by letting document authors designate access restrictions for 
files they create and extends access rights, such as Read, Edit, Print, Reply, and Forward, to 
authorized users. Those restrictions and rights govern the use of the document even outside 
your corporate firewall. 

In addition to restricting access to files, RMS encrypts them. When an author sends a 
protected file to another user or posts the file to a shared folder, every user who wants to 
decrypt and access, or “consume, the file must first obtain a use license from the author's 
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RMS server. Before allowing access, RMS 
checks that the end user’s application is 
a trusted application, that the user isn’t 
excluded from using RMS, and that the pro- 
tected data hasn’t expired or been revoked. 

RMS is built into Windows Vista, and it’s 
available as a role on Server 2008. There are 
differences between the Server 2008 and 
Windows 2003 RMS versions, with the for- 
mer supporting federation and introducing 
a new administration interface, scriptable 
API, and numerous other small improve- 
ments. If you have Windows 2003 R2 Stan- 
dard, Enterprise, or Datacenter Edition, 
RMS software is available as an optional 
Windows component. (You can download 
the most recent version of the software for 
Windows 2003 at www.microsoft.com/rms.) 
If you’re running Windows XP or Windows 
2000 desktops, you'll also need to download 
and install RMS SP2 Client. (I explain how to 
install the RMS client later.) 

Applications (not the OS) are respon- 
sible for enforcing users’ rights. Office appli- 
cations that support RMS out of the box 
include the XML Paper Specification viewer 
and Microsoft Word, Excel, PowerPoint, 
Outlook, and InfoPath. Several ISVs have 
also announced RMS product support. 

To create rights-protected Office docu- 
ments, you need at least Office Professional 
Plus 2007 or Office Professional Edition 
2003. To access rights-protected documents, 
you must use Office Professional 2007, Office 
Standard 2007, or Office Standard Edition 
2003. 

IRM is the application-specific UI that 
lets users of RMS-aware applications protect 
content and work with protected content. 
Using the IRM GUI menu options and 
dialog boxes, content creators build RMS 
publishing licenses, which bind the access 
and usage policies to the protected content. 
Microsoft ships IRM in Office 2003 and 
later versions of Word, Excel, PowerPoint, 
Outlook, and InfoPath. Microsoft Office 
SharePoint Server 2007 (MOSS) also sup- 
ports IRM, and the free, downloadable 
Rights Management Add-On (RMA) for 
Microsoft Internet Explorer (IE) lets users 
browse rights-protected websites and open 
protected Office documents in a limited 
fashion. Several third-party vendors extend 
IRM-like capabilities to their products that 
do not natively support IRM by shipping 
add-ons, plug-ins, or shims. 
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Installing and Configuring RMS 

RMS requires Active Directory (AD), Win- 
dows Server 2003 or later (I recommend 
Server 2008), and a database server, prefer- 
ably Microsoft SQL Server. Alternatively, you 
can use the Server 2008 Windows Internal 
Database, but that choice limits your RMS- 
configuration options, as you'll see. 

You need to install RMS on a server. The 
first server in a forest on which you install 
RMS is called the certification server. For 
scalability and fault tolerance, you can install 
RMS on additional servers later to form a 
certification cluster. A certification server or 
cluster issues rights account certificates to 
every user who needs to be able to protect 
content or consume protected content. The 
certification server or cluster also issues client 
licensor certificates (which let users protect 
content) and use licenses (which let users 
consume protected content). 

To install RMS on Server 2008, launch 
Server Manager and click Roles in the left- 
hand pane. In the Roles view action area, 
click Add Roles to launch the Add Roles 
Wizard. In the wizard’s Server Roles step, 
select Active Directory Rights Management 
Services; the wizard will display a dialog box 
containing details of the roles and features 
that will be installed to support RMS, such 
as Microsoft IIS and the .NET Framework. 
Click Add Required Role Services to close 
the dialog box, then click Next to step 
through the wizard. 

When asked whether you want to install 
support for federation, you can leave the 
check box cleared unless you have a spe- 
cific need for federation. Next, the wizard 
asks whether you want to create a new 
AD RMS cluster or join an existing cluster. 
Because you're installing your first RMS 
server, accept the default option—Create a 
new AD RMS cluster—and click Next. 

The wizard will ask whether to use the 
Windows Internal Database or a different 
database server. If you use Windows Internal 
Database, you can’t create a cluster later 
by adding more servers. To use an external 
database, select Use a different database 
server, then click Select to browse the avail- 
able computers and select one on which 
SQL Server is installed. If multiple instances 
of SQL Server are installed, you must also 
select the instance you want to use. 

In the next screen, click Specify, then 
enter the username and password of the 
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domain user account under which RMS 
will run. The wizard will ask how you want 
to configure key management. The default 
option—to store keys centrally—is accept- 
able for most enterprises. You'll also be 
asked for a passphrase to protect the keys. 

You'll need to specify the website on 
which to install RMS. I recommend that 
you use the default website. I also recom- 
mend that no other web-based service be 
installed alongside RMS on the same web- 
site, as there are known conflicts with some 
such services, such as Windows SharePoint 
Services. 

In subsequent steps, you'll enter the 
internal web address by which the RMS 
server will be known and specify whether 
to use Secure Sockets Layer (SSL) to protect 
RMS. To specify the internal web address, 
you should use a Fully Qualified Domain 
Name (FQDN); otherwise, you won't be 
able to add servers later to create a cluster. 
The best practice is to use a DNS virtual 
A record that has the same IP address as 
the RMS server and website. For the SSL 
option, I recommend that you choose to 
use SSL—if you plan to support federation 
later, you must select SSL now. If you accept 
the default to use SSL and you don’t have 
IIS installed or websites configured for SSL, 
the wizard prompts you to either choose an 
existing SSL certificate, create a self-signed 
certificate, or install one manually later. If 
you opt to install an SSL certificate later, you 
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configure RMS. You can 
always use the IIS admin- 
istration tool to request a 
different certificate later. 

Next, you'll specify 
a name for your RMS 
installation and specify 
whether you want to reg- 
ister RMS in a service- 
ConnectionPoint (SCP) 
object in AD. If you don’t, 
you'll have to configure 
registry overrides on 
users’ computers before 
they can use IRM. I cover 
SCP registration and reg- 
istry overrides later. 

Ifyou haven’ tinstalled 
IIS or haven't configured 
it to support RMS, the 
wizard will showyou what 
will be installed or config- 
ured. You shouldn’t have 
to make any changes. If 
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you're happy with your 
selections when the wiz- 
ard lists them for your review, simply 
click Install to proceed. You'll need to 
restart your server to make RMS avail- 
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Figure 1: Viewing RMS configuration details 
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Installing and Using IRM = 
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The RMS client is built into Vista and — 
P 


doesn’t need to be installed—as long 
as you publish the SCP in AD when 
you set up RMS, no further configu- 
ration is required. For XP and Win2K 
systems, you need to download the 
RMS client from www.microsoft 
.com/rms. To distribute the package, you can 
use Microsoft Systems Management Server, 
System Center Configuration Manager (a 
third-party software distribution tool), or 
Group Policy. If you use Windows Server 
Update Services or Microsoft System Center 
Essentials, you can distribute the RMS client 
as an update. If you didn’t publish the SCP 
in AD, you need to set each client machine’s 


www.windowsitpro.com 


Change Perrewo7 


Customer Loas Ust 


jmytenring $50,000 1245-67968 


MilesCerton $23.4000 111-22-3333 


Figure 2: The IRM buttons in Outlook and Word 


HKEY_LOCAL_MACHINE\SOFTWARE\ 
Microsoft\MSDRM\ServiceLocation\Enter 
prisePublishing registry subkey to the value 
http://internal address/_wmcs/Licensing, 
where internal address is the URL of the 
RMS server specified during installation. If 
you're using SSL, substitute https for http. 
Users typically won't need to take any 
special steps to begin using IRM. Office 
applications will automatically detect the 
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RMS client, and the first time a user protects 
a document or email message or attempts 
to consume a protected document or mes- 
sage, the IRM features will be available in 
the GUI. As long as the client and user are 
validated, the user is issued every license 
and certificate necessary to protect content 
or access protected content. Figure 2 shows 
a protected email message and Word docu- 
ment and their respective IRM buttons. 
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Figure 3: Word's Permission dialog box 


When a user's client initially connects to 
the RMS server, the user is prompted to enter 
credentials if the server’s internal address 
isn’t in IE’s Local intranet zone or in another 
zone that’s configured to automatically send 
credentials when they're required. In that 
case, either the user can manually add the 
internal address to the Local intranet zone or 
you can configure all your users’ IE settings 
through Group Policy. 

To protect and send an Outlook email 
message, you can simply click Permission 
on the message’s toolbar and click Send. 
Recipients are automatically granted the 
rights to read and reply 
to the message, but not 
to forward or print it. You 
can also create and use 
templates to grant more 
rights or further restrict 
rights. To protect content 
created by other Office 
applications, you click the 
Protect Document button 
on the Review tab, then 
select Restricted Access 
to open the Permission 
dialog box shown in Fig- 
ure 3. Select the Restrict 
permission to this docu- 
ment check box to make 
the dialog box’s options 
available, and enter the 
names of users who will 
have Read and Change 
rights. If you have Micro- 
soft Exchange Server 2007 
or 2003 in your environ- 
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Figure 4: Additional Permission options 


the Select Names dialog box appear. In an 
Exchange 2007 or 2003 shop, you can grant 
rights to user groups and mail-enabled uni- 
versal security groups and enter user and 
group names directly into the fields alongside 
the Read and Change buttons. 

If you aren’t using Exchange 2007 or 
Exchange 2003, you can specify users and 
groups by email address. To give users 
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outside your organiza- 
El Bennet person tt oar] tion rights to content, 
The faking users have permission to the Cocument: you'll have to use email 
Name Access Level 


addresses and config- 
ure RMS for external 
collaboration. 


To change or add 
permissions, clickMore 
Options in the Permis- 
sion window to see the 
dialog box in Figure 4. 
The expiration option 
lets you specify a date 
after which users can’t 
open the protected 
document regardless 
of their permissions. 
The author can still 
open the protected 
document and can 
remove permissions 
or extend the expiration date. 

With that basic understanding of how to 
use IRM, let’s look at how to create and use 
templates to avoid mistakes when configur- 
ing content protections. 


Creating and Using Templates 
If your users repeatedly grant certain recipi- 
ents the same rights to content, you can use 
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Figure 5: The Distributed Rights Policy Templates window 
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templates to simplify the process. You create 
and store the templates on the RMS server, 
then distribute them to users, either indi- 
vidually or in a file share. (The latter option 
is practical for mobile users only when 
combined with offline folders.) 

Templates are created as XML files. To cre- 
ate a template, open the RMS role in Server 
Manager, expand a server node, and select 
the Rights Policy Templates node to open the 
Distributed Rights Policy Templates window, 
shown in Figure 5. Set the template-storage 
location by clicking Change distributed rights 
policy templates file location at the bottom of 
the center pane. Select Enable export in the 
Rights Policy Templates dialog box and enter 
the UNC path of a folder to which the RMS 
service account has change permissions, as 
Figure 6 shows. Click OK, then make sure 
that the service account has both NTFS and 
share-level permissions. Next, click the Cre- 
ate distributed rights policy template link in 
the right-hand pane. 

Actually creating the template is a five- 
step process. 

1. For each language you use, specify 
the template name and a description. 

2. Specify users and groups and the 
rights you want to grant to each. 

3. If you want content to expire, specify 
an expiration interval. You can also force 
users to obtain a new use license at a speci- 
fied interval. Designating end-user license 
expiration dates is useful in conjunction 
with exclusion, an advanced feature used 
to deny access to protected content. 

4. Configure 


whether users can 
Gas: 


view protected con- > a EIEN 
tent using the RMA Diesen > 
and whether they cma Dee S 


ernest shinnne 
Pootng 


must obtain a new 
use license every 
time they open pro- 
tected content. 

5. Configure 
revocation lists. An 
advanced feature that 
isn’t commonly used, 
revocation lets you 
revoke rights-protec- 
tion components. For 
example, you can use 
revocation to pre- 
vent users who were 
erroneously granted 
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access rights from 
opening a document 


Rights Policy Templates es 
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setting to each user’s 
computer, where ver- 
sion is 12.0 for Office 
2007 and 11.0 for Office 
2003. To modify the 
registry for multiple 
users, you can download and use the Office 
2007 administrative templates (available 


at www.microsoft.com/downloads/details 


.aspx? FamilyID=92d8519a-e143-4aee-8f7a- 
e4bbaeba13e7) and Group Policy. After you 
configure the template path, Office applica- 
tions import the templates and display them 
under the Protect Document menu option, 
as in Figure 7. 


Real Data Protection 

IRM and RMS take Office applications in 
a powerful new direction to help you pre- 
vent accidental data loss and intentional 
but inappropriate disclosure of sensitive 
organizational information. Once you've set 
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Figure 6: Specifying a storage location for RMS templates 


up RMS, IRM lets users easily protect sensi- 
tive Word documents, Excel spreadsheets, 
PowerPoint presentations, Outlook emails, 
and InfoPath forms. If you also consider 
how user-friendly IRM is, it can be a good 
security solution for organizations of all 
sizes. 
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John Howie 
(jhowie@microsoft.com) is a direc- 
tor with the Office of International 
Affairs at Microsoft. He has more 
than 15 years of experience in 
information security and is a CIPP, 
CISA, CISM, and CISSP. 
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Figure 7: Viewing templates in Word 
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NEW & IMPROVED 


Ceedo Unveils 
Application 
Virtualization Product 


Ceedo Technologies has announced 
Ceedo Enterprise, a new virtualization 
product that lets IT administrators deploy 
and manage virtual desktop workspaces. 
Administrators aren't required to package 
applications before deployment, and the 
product lets users customize their own 
workspaces without involving IT staff. 
Ceedo environments can be deployed on 
any PC that runs Windows 2000 Server or 
later. Ceedo Enterprise clients are available 
now for $89 per seat perpetual license, 
with volume discounts available. For more 
information, go to www.ceedo.com. 


Astaro Thumb Drive Eliminates 
Reimaging 


Security appliance vendor Astaro recently 


a virtualization management solution 
that automatically builds, manages, and 
deploys physical and virtual server envi- 
ronments as needed. The new release 
adds support for Windows Server 2003 
to the existing Linux server support and 


offers application provisioning, improved 


SPOTLIGHT 


Green Hosted Services 


As part of an initiative to make itself 
more eco-friendly, managed-service 
provider Rackspace announced the 


availability of green managed hosting. 
After a customer selects one or more 
services that suit his or her company’s 


released the Astaro Smart Installer, a USB 
flash drive that servers and hardware appli- 
ances see as an external CD-ROM drive 


scalability, a revamped UI, and configura- 
tion options designed to simplify virtual 
infrastructure management for large enter- 


loaded with a bootable image. This device 


lets customers install Astaro software appli- 


ances and reimage Astaro hardware 
appliances, eliminating the need to pur- 
chase new hardware or load the data via 


an external drive. The Astaro Smart Installer 


is available for Astaro Security Gateway 
and Astaro Web Gateway products for $99. 
For more information, contact Astaro at 
781-345-5000 or visit www.astaro.com. 


FastScale Composer Suite Adds 
Windows Support 


FastScale Technology has unveiled a new 
version of FastScale Composer Suite, 
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prises. FastScale Composer suite is avail- 
able now; pricing begins at $30,000. To 
learn more, call 408-463-6130 or visit 


www.fastscale.com. 


Cemaphore Systems Replicates to 
Google's Cloud 


Cemaphore Systems recently announced 
MailShadow for Google Apps Beta 2 
(MailShadowG), which frees your com- 
pany from the need to maintain its own 
email continuity and recovery servers. 
MailShadowG synchronizes messaging 
data to Google's infrastructure through a 
Gmail account. Synchronization is bidirec- 
tional, so users of Gmail's email, contacts, 
and calendars will have their information 
synchronized with their Microsoft Office 


Outlook client. For more information about 


MailShadowG, call Cemaphore at 650-227- 


5400, email info@cemaphore.com, or go to 
www.cemaphore.com/index.php. 
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needs, Rackspace configures, maintains, 
Vato Manvelalixelecmuat-me(=rol (et-] cre M\-1aV(-14 (3) 
and related devices and works with 
carbon-offset provider NativeEnergy 

to invest in renewable-energy projects 
that offset the carbon emissions pro- 
duced by those servers. Rackspace also 
offers servers that use eco-friendly com- 
ponents, such as low-voltage processors 
and energy-efficient hard drives. For 
more information, contact Rackspace at 
210-312-4700 or sales@rackspace.com, 
or visit www.rackspace.com. 


The number of Rackspace’s worldwide 
customers, in thousands. 


www.windowsitpro.com 


EVERYTHING BUT MICROSOFT 


“It is in the character of very few men to honor 
without envy a friend who has prospered. “ 


Apple Envy in Redmond 


Welcome to the first installment of Everything But Microsoft, a new 
monthly column that casts a critical eye at Microsoft and covers 
important non-Microsoft news and views in the IT community. 


pple is on a roll these days. Other than the embarrass- 
ing release of the not-quite-fully baked MobileMe ser- 
vice, Steve Jobs and the crew at One Infinite Loop have 
been showered with positive press about strong Mac 
sales, booming iPhone business, and even increased 
Mac adoption by the enterprise. 

Mac sales in 2008’s second quarter were the highest ever, with 
market-research firm Gartner estimating that Apple sold 1.4 million 
Macs in that period—enough to leapfrog Apple over Acer to become 
the third largest PC vendor in the United States by sales volume. 
Even more news of Apple’s good fortune came in the form of an 
August 2008 Yankee Group report indicating that the Mac is making 
noticeable gains in the enterprise. Report author Laura DiDio found 
that approximately 80 percent of the more than 750 IT professionals 
surveyed have Macs operating on their networks. “Although the Apple 
Mac hardware and OS X operating systems still represent a small niche, 
adoption and acceptance of Mac hardware and operating system soft- 
ware are growing at a steady and sustained pace not seen since the late 
1980s,” DiDio said. “Use of Apple products in a corporate environment 
is much more pervasive and complex than previously thought” 

By comparison, Microsoft seems to be under the gloom of 
(somewhat undeserved) negative press these days, much like a 
cartoon character in the shadow of a perpetual rain cloud. Earlier 
this year, a class-action lawsuit stemming from Microsoft's ill-fated 
Windows Vista Capable marketing campaign revealed embarrassing 
email messages about Microsoft execs unable to use printers and 
run Vista on their own laptops. And corporate customers have been 
slow to adopt Vista; a June 2008 survey of IT pros—commissioned 
by KACE Networks and conducted by King Research—indicated that 
more than 60 percent of the 1,162 IT professionals surveyed had no 
Vista migration plans. 

Truth be told, Vista has improved mightily since its January 
2007 release. It had some early teething pains and still runs like cold 
gravy on minimum-spec machines, but I’ve largely had a positive 
experience with it. And the Vista migration here at the Penton Media 
offices earlier this year went off without a hitch. 

But after ignoring the growing perception that Vista was a dud for 
more than a year, Microsoft has belatedly decided to strike back—by 
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saying it needs to be more like Apple? Microsoft CEO Steve Ballmer 
must have been glowing an envious green when he typed the follow- 
ing in an email message (which was reprinted by Todd Bishop at the 
Seattle Post-Intelligencer) to Microsoft employees. “In the competi- 
tion between PCs and Macs, we outsell Apple 30-to-1. But there is no 
doubt that Apple is thriving,” wrote Ballmer. “Why? Because they are 
good at providing an experience that is narrow but complete, while 
our commitment to choice often comes with some compromises to 
the end-to-end experience.” 

In another example of Microsoft's dewy-eyed glances at Apple, 
a recent Microsoft news release eagerly proclaimed ActiveSync 
support for the iPhone, a marketing move equivalent to joining a 
screaming throng of teenage girls chasing their favorite boy band. 
Then there was the Mojave experiment, a thinly veiled homage to 
those soft-drink taste tests in which Microsoft gathered up a panel 
of computer novices, had them test a new OS called Mojave (really 
Vista in drag), then performed a Candid Camera-style “It’s not 


y 


Mojave, it’s Vista!” reveal at the end. 

Microsoft is determined to change public perceptions about 
Vista, but I don’t think an ad campaign hinged upon saying “Sure, 
Vista used to suck, but it’s better now!” will inspire IT managers 
to bust out their purchase orders and schedule a Vista migration. 
General Motors made a similar mea culpa in 2003 with an expensive 
“road to redemption” effort that reminded potential customers GM 
made cars in the 1980s that leaked oil, dropped important metal 
bits, and spewed clouds of discolored smoke at random intervals, 
but promised that GM had learned its lesson and would make bet- 
ter cars. GM learned that producing better products was the answer, 
and Microsoft should do the same: Why tout the merits of damaged 
goods when you can develop and promote new products that don’t 
have the negative PR baggage? It would be foolish to think that Apple 
could ever challenge Microsoft’s dominance in the enterprise, but 
the Mac is making some headway in a world in which small busi- 
nesses are increasingly using consumer technologies such as the 
iPhone and VMware Fusion to meet their needs. And Microsoft? 
I’m no Dr. Phil, but Ballmer and company might be better served 
by ditching the Apple fixation and marketing better products. 
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JEFF JAMES (jjames@windowsitpro.com) is senior editor, products, for 
Windows IT Pro and SQL Server Magazine. He specializes in virtualization 
and terminal services and has over 15 years of experience as a writer and 
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Link Analyst 


Link Analyst from Network Instruments is a 
toolset designed to help you monitor your 
Windows-based network. It uses a combina- 
tion of SNMP and Windows Management 
Instrumentation (WMI) to find and monitor 
Windows servers and network hardware. 
After it discovers all of the network devices, 
you can display them in a business group or 
as a route map. 


Right out of the box, Link Analyst is set up 


to monitor Active Directory (AD), Exchange, 
Microsoft IIS, Microsoft Virtual Server 2005, 


-& zx 
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HR 
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devices only, and Simply create an empty Busi- 
ness Group. | will add devices manually. | chose 
the default so that the application would 

try to find everything on my network. After 

| chose the IP range and the services to scan 
for and set some WMI credentials (such as 
user account with permissions to read WMI 


information), | was ready to scan my network. 


(You do need to have the correct SNMP and 
WMI credentials, or the discovery tool might 
not find all of your devices.) The scan of my 
10 devices went relatively quickly, and | was 
soon presented with an accurate map of my 
network. 

Link Analyst has a simple interface 
that’s very easy to navigate. After a few 
minutes poking around in the program, | 
felt right at home. The menus are laid out 
in a logical manner, and the tabs on the 
Program Options page (the 
main configuration page) 
let you quickly set up new 
monitors, notifications, and 
other settings. 
as The product does have 
some shortcomings that 
blemish an otherwise out- 
standing tool: Link Analyst 
doesn't run as an NT service, 
and it’s limited to WMI and 
SNMP-type monitoring. 
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printer and router utilization, SQL Server, 


switch utilization, and various brands of wire- 


less access points. Link Analyst can monitor 
anything that has WMI or SNMP support and 
can monitor syslogs and Windows event 
logs. The GUI also indicates monitor options 
for “Windows Workstation” and “VMware Vir- 
tual Server.” 

Link Analyst requires a 1GHz Pentium 
processor with 1GB of RAM. | had no prob- 
lems with the setup, which went off without 
a hitch. 

Link Analyst immediately guides you 
through the process of discovering your net- 
work. It gives you three choices for Discovery 
Mode: Discover network devices and network 
topology (the default), Discover network 


Windows IT Pro 


PROS: Built-in monitoring for many popular 
services and network devices; easy to create 
additional monitors 


CONS: Monitors only devices and software 
enabled by WMI and SNMP; doesn’t run as an NT 


service; must be running on a logged-on desktop 


to be able to gather information 


RATING @O@Oq<> 


PRICE: Begins at $2,495 for monitoring up to 
100 devices 


RECOMMENDATION: If your entire network 
can be monitored with WMI or SNMP, take a look 
at Link Analyst. 


CONTACT: Network Instruments « 


www.networkinstruments.com * 800-526-7919 
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Paul’s Picks 


SUMMARIES of 
in-depth product reviews 
on Paul Thurrott’s 
SuperSite for Windows 


Apple MobileMe 


PROS: Push email, contacts, and calendar 
work great with iPhone 


CONS: PC and web experiences are lackluster; 
push technology eats at iPhone battery life; 
expensive 


RATING: @Q@OOKN 


RECOMMENDATION: | can't recommend 
Apple's MobileMe service to any Windows user. 
PNoye)(excer-vacclan)e) a=] am sy Couar-lare me) mualM (aime) 
us” is buggy, incomplete, and painful to use, 
especially on the PC. However, the iPhone user 
experience is excellent despite battery-life 
problems associated with push-based data 
syncing. For now, even if you've bought the 
iPhone, skip this service. 


CONTACT: Apple - www.apple.com 


DISCUSSION: www.winsupersite.com/ 
reviews/mobileme_01.asp 


Windows Home Server 
Power Pack 1 


PROS: Free update adds major new function- 
ality, fixes bug 


CONS: Still lacks Complete PC Backup and 
Restore-style server backup 


wee © x x | 


RECOMMENDATION: Windows Home 
Server (WHS) Power Pack 1 (PP1) is a free 
update to Microsoft's home server that adds 
x64 client compatibility, server backup (of file 
shares, not the server state), and remote access 
improvements, as well as other useful changes. 
Microsoft fixed a slew of bugs too, including 
the infamous data corruption bug that has 
bedeviled WHS since last December. Did | men- 
tion it’s free? Customers of HP’s popular WHS- 
based MediaSmart Server get two add-ons 
along with PP1: a McAfee-based server anti- 
virus tool and a media-sharing solution certi- 
fied by the Digital Living Network Alliance. 


CONTACT: Microsoft - 800-426-9400 - 
www.microsoft.com 


DISCUSSION: www.winsupersite.com/ 
A Fin 
reviews/whs_pp1.asp 
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QNAP Systems NAS Server 


with Mtron SSDs 


Doc ID 99997. 


Technologies are always 
improving, but dramatic 

leaps such as the transition 
from spinning magnetic media 
to solid-state storage are rare. Asa 
techno-geek, | jumped at the chance to take 
a look at the QNAP Systems TS-411U NAS 
containing four Mtron SSD Pro 64GB disks 
sent to us by DV Nation. 


The Physical Specimen 

The TS-411U looks like a typical 1U rack- 
mount storage device—my first impression 
was of a generic NAS platform into which 
SSDs had been installed. A drop-down 
front panel sports an LCD with two menu 
control buttons and conceals four lock- 
able drive trays. The rear of the unit has 
two USB 2.0 ports, two Ethernet ports, and 
an Ultra160 SCSI connector. Redundant 
150-watt removable power supplies are 
accessible from the rear, but the single 
shared AC line receptacle leaves the poten- 
tial for an unplugged cord to be a single 
point of failure. 


Configuring the System 

| connected the power and network cables 
to the system and turned it on. After boot- 
ing, the system displayed its DHCP address 
on the LCD. Using the front-panel buttons 
to navigate the configuration menus was 
fairly straightforward and intuitive. 

The admin UI offers a fairly wide array of 
configuration options, including NIC load 
balancing for failover or performance, RAID 
configuration, Active Directory (AD) domain 
membership, and file sharing configura- 
tion. | struggled a bit to supply the domain 
information in the format the NAS device 
wanted, but after | got it set properly, | was 
able to manage share permissions using AD 
groups and users. 

The SCSI and USB ports allow for direct 
connection of tape drives and DVD burn- 
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ers, respectively, for backing up data that’s 
stored on the NAS. The device software 
handles the backup operations. 

You might be wondering how the TS- 
4110U differs from a typical NAS system. 
The answer is that it doesn’t. So what's 
the net benefit? In a word: performance. 
But the problem is that NAS simply isn’t a 
good use of SSDs. NAS puts too many lay- 
ers between the bus and the disk interface, 
and each layer injects latency, overhead, 
and bottleneck potential. One application 
that could leverage the performance of 
SSDs, thus justifying their cost, is SQL Server 
databases—particularly tempdb. But with 
today's technology, no amount of physical 
disk speed can help NAS be a good storage 
option for SQL Server—or for other apps 
that could really benefit from a surge in 
performance. 

Even though NAS isn’t the best use for 
SSDs, they did perform better than some 
traditional SCSI and SATA hard drive-based 
shares | had at my disposal and were much 
quieter. | didn’t measure power consump- 
tion, but it’s logical that the absence of con- 
stantly spinning platters would require less 
energy and generate less heat than typical 
disk drives. 


A Square Peg 
Although there was a notable quickness 
about the TS-411U, the mismatch between 


Ed Roth | roth_ed@comcast.net 


We're in IT with You 


REVIEW® 


the SSD and NAS technologies doesn't pro- 
vide a good ROI. The story would likely be 
different if the SSDs were used in a device 
that put the least possible amount of con- 
necting technology between the system 
and the disk, letting you apply the power 
of SSD exactly where it’s needed. I'm going 
to keep my eye on this new technology, 
though, in the anticipation that prices will 


drop over the next few years. 
InstantDoc ID 99997 


QNAP Systems NAS Server with 
Mtron SSDs 


PROS: Fast access for a NAS device; quiet opera- 
tion 


CONS: The pairing of SSD and NAS doesn't pro- 
vide performance ROI; cost of SSDs 


AA 
RATING @OOOC 

PRICE: About $2,000 street price for the QNAP 
NAS, plus $1,100 per Mtron 64GB SSD drive 


RECOMMENDATION: For mission-critical 
apps that demand the best possible per- 
formance, buy SSD drives and attach them 
directly to servers; otherwise, wait for the price 
of SSDs to come down. If you need NAS, buy 

it with traditional storage (e.g., SATA, Serial 
Attached SCSI). 
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Make CONNECTIONS the CONFERENCE you bring your whole team to this year! 


As a Connections attendee, you and your colleagues can attend all of the Connections 
shows, and cross between all of the sessions, at the same time for the same price. 


CO-LOCATED WITH 
Microsoft ASP.NET Connections, Visual Studio 
& .Net Connections, and SQL Server Connections 


| >> EVERY ATTENDEE receives 
SQL Server 2008 


STANDARD EDITION with one CAL 


REGISTER TODAY! CONNECTIONS SOLD OUT LAST FALL! 


> Attend dynamic 
Microsoft keynotes 
& get the scoop 
on the future trends 
in our industry! 


STEVE RILEY MARK MINASI SCOTT GUTHRIE THOMAS RIZZO DAVID CAMPBELL 
Senior security Best-selling author, Corporate 


> Win a cool Harley 


Director, Technical Fellow Davidson motorcycle 
strategist in popular technology _—-Vice President, SharePoint Group Vitel sveysve) aj 
Microsoft's columnist, -NET Developer Vilelsxotste) aij F F 
Trustworthy commentator Division > Unwind in Vegas and 
Computing Group MR&D MICROSOFT make new friends... 
MICROSOFT 


> Meet and interact with 


authors whose books 
GET CONNECTED TO: and articles you read 
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in the expo hall. 


REGISTER TODAY! 
WinConnections.com = 800-505-1201 = 203-268-3204 


> 150+ Expert Speakers > 250+ In-depth Sessions 
> Unparalleled Workshops > Hot Location 
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BUYER’S GUIDE® 


Enterprise Backup 


and Recovery 
Software 


o protect your company’s data and be able to recover data 
quickly, you need to select the right backup and recovery 
software for your servers. The buyer’s guide table on page 
66 lists enterprise backup and recovery products and 
features that can help you make that choice. 

Windows OSs include built-in backup and recovery 
tools, but if these tools don’t fit your needs, you might want to 
consider a third-party solution (including Microsoft's separate Data 
Protection Manager—DPM). Let’s review some essential character- 
istics of backup and recovery software products. 


Media Compatibility 

You'll want a product that will scale to the size of your environment 
and is compatible with your current and future OSs and applica- 
tions. You'll also need to choose a product that’s compatible with 
your existing backup media. You might want to consider buying 
a product that uses a different backup media type to supplement 
your current backup strategy. For example, a common approach is 
to implement a disk-to-disk (D2D) backup system to ensure con- 
tinuous data protection, then periodically archive the backup disk 
to tape to use for disaster recovery. 


Backup Types: Differential, Remote, and VSS Snapshots 
To save time and reduce the number of unnecessary backups, many 
products run periodic differential backups, which include only data 
that has changed since the last full backup, in contrast to a complete 
backup of all data on a volume or system. Consider whether a prod- 
uct that performs full or differential backups makes more sense for 
your environment. 

Remote functioning is another feature to consider. If your envi- 
ronment includes remote systems, you might need to back up to and 
recover data from those systems. The ability to back up and recover 
your systems from a remote location is essential, especially for all 
those times that you’re away from the office—whether at a confer- 
ence, on vacation, or just at home for the weekend. 

In addition, you might want your backup and recovery software 
to be compatible with Microsoft’s Volume Shadow Copy Service 
(VSS), which takes point-in-time snapshots of data and lets applica- 
tions continue to operate while the backup runs. 


Virtualization 

As virtualization becomes more prevalent, being able to back up 
and recover data on virtual machines (VMs) is more important than 
ever. If you use VMs, your backup and recovery solution should 
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Protect your data now—and save 
yourself a recovery headache later 


by Lavon Peters 


support backup and recovery of data on VMs. A growing trend is for 
businesses to use virtualized environments specifically for disaster 
recovery—to provide a mirrored recovery environment that you can 
switch over to if your physical servers or production virtual servers 
are damaged in a disaster. 


Analysis, Scripting, and Reporting 

Capabilities such as pre-backup analysis, scripting, and reporting 
can give you additional, useful information about backup and 
recovery in your environment or automate backup and recovery 
tasks. A pre-backup analysis will determine whether your stor- 
age device has enough disk space to contain the backup and how 
long the backup will take. In addition, many of the products in this 
buyer’s guide will let users schedule backups by date and time, by 
a defined interval (e.g., three hours, one week), by specific events 
in the event log, by the amount of data changed, or even by specific 
triggers (e.g., when the computer starts or shuts down, when the 
user logs on or off). 

Scripting your backups can also be helpful, so that you don’t 
have to schedule them manually. Most of the products in this buyer’s 
guide are scriptable and support a wide variety of scripts, such as 
command-line interface, various shell languages, and Windows 
PowerShell. Calling a backup program from your own script can save 
time and effort down the road. 

Systems administrators don’t have time to babysit their backups, 
so built-in reporting features are handy for monitoring backup and 
recovery status. Common reporting options include email notifi- 
cations, pager alerts, or reports that are output as Microsoft Excel 
spreadsheets, comma-separated value (CSV) files, HTML files, or 
other file formats. 


Choices, Choices 
Ever-changing compliance requirements mean that your backups 
must be as current and complete as possible. Although choices 
abound for enterprise-level backup and recovery software, select- 
ing the right product for your environment can be confusing. 
See the table on page 66 for a comparison of more than a dozen 
options. 

InstantDoc ID 100032. 
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® BACKUP AND RECOVERY SOFTWARE 


Company 


*Acronis 
www.acronis.com 
781-222-0920 


Asigra 


www.asigra.com 
416-736-8111 


Atempo 


www.atempo.com 
650-494-2600 


BakBone Software 


www.bakbone 
.com 
"858-450-9009 
877-939-2663 


CommVault 
www.commvault 
.com 
732-870-4000 
888-746-3849 


Double-Take 
Software 
www.doubletake 
.com 
508-229-8483 
888-674-9495 


*EMC 
www.emc.com 
508-229-8483 
866-438-3622 


HP 
www.hp.com 
800-888-9909 
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Product 


Acronis True 
Image Echo 
Server for 
Windows 


Asigra 
Televaulting 
7.0 


Time Navigator 
Enterprise 
Edition 


NetVault: 
Backup 8.1 


CommVault 
Galaxy Data 
Protection 7.0 


Double-Take 
for Windows 


NetWorker (for- 
merly Legato 
NetWorker) 


HP Data 
Protector 
Software 


Price/Licensing 


$699 per server 


Capacity-based pricing; starts at 
$8,500 per compressed de-duped 
terabyte 


Starts at $4,600 for 1 server, 10 
agents, and 1 tape drive connec- 
tion; additional modules such as 
Exchange CDP, SQL Server Agent, 
and SharePoint available for $1,750 
each; Windows agents available for 
$500 each; volume-based pricing 
available from 100GB to 50TB 


Starts at $895 


Less than $20,000 as part of the 
Simpana software suite, for up to 
10 servers 


Starts at $3,295 per license, with 
1 year of 24 x 7 x 365 support and 
maintenance 


Starts at $1,150 


Windows Starter Kit, $1,158; 
advanced features licensed sepa- 
rately per terabyte 


Supported OSs 


Windows Vista; Windows Server 
2003 (multiple versions), Windows 
2000 (multiple versions), Windows 
XP (multiple versions), Windows 
NT Server 4.0 SP6; Windows Small 
Business Server (SBS) 


All Windows platforms 


Server OSs: Server 2008, Windows 
2003, Win2K; Linux; Mac OS X; HP 
Tru64; HP-UX; IBM AIX; SGI IRIX; 
Solaris 

Client OSs: Windows Vista, Windows 
XP, Win2K; Linux; Mac OS X; 
FreeBSD; HP Tru64; HP-UX; IBM AIX; 
IBM i5; NetWare; other 


Windows, Linux, UNIX, Mac OS 


Server 2008, Windows Vista, 
Windows 2003, Windows XP, Win2K 


Server 2008, Windows 2003, Win2K 


Server 2008, Server Core, Windows 
Vista, Windows 2003, Windows XP, 
Win2K 


Server 2008, Windows Vista, 
Windows 2003, Windows XP 
Professional, Win2K 
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Windows 
Server 2008/ 


Server Core 
Compatibility? 


Yes 


Yes 


Yes 


No, but 
planned for the 
next 

version 


Yes 


Yes 


Yes 


Yes; additional 
support in Q4 
2008 
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Exchange Server, SQL Server, 
SharePoint 


All versions of Exchange 
Server, SQL Server, SharePoint, 
Microsoft Virtual Server 


Exchange Server, SQL Server, 
MySQL, SharePoint Portal Server, 
IBM DB2, IBM Informix, Lotus 
Notes, MaxDB, NCR Teradata, 
Oracle, SAP R3, Sybase 


Exchange Server, SQL Server, 
SharePoint 


Exchange Server, SQL Server, 
SharePoint, Microsoft Business 
Solutions, Office Communication 
Server (OCS), Data Protection 
Manager (DPM), Active Directory 
(AD), Microsoft SQL Server Destop 
Engine (MSDE), Office, Outlook 


Exchange Server, SQL Server, 
SharePoint, BlackBerry Enterprise 
Server 


Exchange Server, SQL Server, 
SharePoint, Virtual Server 2005 R2, 
Windows Unified Data Storage 
Server 2003, Windows Storage 
Server 2003 R2, DPM, Oracle, 

SAP, IBM DB2, IBM Informix, 

Lotus Notes, Sybase, Documentum, 
MEDITECH 


Exchange Server 2007, Exchange 
Server 2003, Exchange 2000 
Server; SQL Server 2005/2000/7.0; 
SharePoint Portal Server; Virtual 
Server 2005; Microsoft Cluster 
Server; Oracle; SAP 
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Backup Media 


Pre-Backup 
Analysis? 


Schedulable? 


Scriptable? 


ns eeyaiiare] 
Options 


Differential 
Backups? 


Virtual 
Machine 


Compatiblity? 


Remote 


PXelnalialciaccieelara 


BACKUP AND RECOVERY SOFTWARE ® 


Volume 

AJ af-(e (o) Va ke) 0) V2 
sSY=) aV/ (om AVASSs)) 
Compatibility? 


Hard disk drives 
(HDDs), Acronis 
Backup Server; 
networked storage 
devices; FTP servers; 
CD-R/RW, DVD-R/RW, 
DVD+R/RW, Zip, Jazz, 
and other removable 
media; tape librar- 
ies; PATA (IDE); SATA; 
SCSI; SAS; IEEE1394 
(FireWire); USB 1.0/2.0 
drives; PC card storage 
devices 


Disk, tape 


Tape, WORM, vir- 

tual tape library (VTL), 
disk, NAS device, 
optical disk, content- 
addressable storage 
(CAS) device 


Tape, VTL, disk 


Magnetic disk, 
Magneto-optical drive, 
DVD, tape, SAN, NAS 


Disk 


Disk, virtual tape, tape, 
optical disk 


Tape, virtual tape, disk 


Yes: esti- 
mates image 
size and 
backup time 


Yes 


Yes 


Yes 


Yes 


Yes 


Yes 


Yes (through 
HP Services) 


www.windowsitpro.com 


Yes—by time: 
daily, weekly, 
monthly; when 
computer 
starts; when 
user logs on; 
when comput- 
er shuts down; 
when user logs 
off; by event 


Yes 


Yes: by time 


Yes 


Yes 


Yes: continu- 
ously, by time, 
by defined 
interval in 
minutes, by 
amount of 
data changed 


Yes: by time 
or by event; 
also scriptable 
to encompass 
most desired 
triggers 


Yes: by time or 
by event 


Yes: command- 
line, XML 


Yes: script-lan- 
guage agnostic; 
includes Emacs, 
Emacs Lisp, Tcl, 
Lua, Visual Basic 
for Applications 
(VBA), Java, 
Microsoft .NET 
Framework 


Yes: Perl, shell 
scripts, API in C 


Yes 


Yes 


Yes: command- 
line interface 
(CLI), COM API 


Yes: in any 
OS-supported 
language 


Yes: CLI 


Email, WinPopup, 
log file, SNMP 
notification, 
Windows event 
log 


Email, GUI, pager 
(any SMTP sys- 
tem), Microsoft 
Excel, HTML 


Email, web 
reporting, CSV 
and XML files 


Email, HTML, CSV, 
plain text; reports 
can trigger a 
NetVault: Backup 
event, with 
notification via 
email, Windows 
pop-up, operator 
message, or job 
kickoff 


Email, pager, 
PDA, Excel, 
HTML, Microsoft 
Operations 
Manager (MOM), 
flat text 


Email, event logs, 
SNMP, custom 
reports 


Email; built-in 
graphical report- 
ing; can export 
to PDF, HTML, 
PostScript, or CSV 
for Excel reports 
or Crystal Reports 
files 


Built-in reporting 
module 
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Yes (incre- 
mental and 
differential) 


Yes 


Full, incre- 
mental, and 
synthetic full 
backups 


Yes 


Yes; also 
performs 
synthetic full 
backups 


Yes 


Yes 


Yes 


Yes 


Yes 


Yes 


Yes 


Yes 


Yes; special VM 
pricing avail- 
able 


Yes 


Yes 


Windows IT Pro 


Yes 


Yes 


Yes 


Yes 


Yes 


Yes 


Yes: supports 
WAN-based 
backup and 
recovery; web- 
based manage- 
ment enables 
remote backup 
and recovery 
from anywhere 


Yes 
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Yes 


Yes 


Yes 


Yes 


Yes 


Yes 


Yes 


Yes 
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Company Product 


IBM IBM Tivoli 

www.ibm.com Storage 

888-426-4968 Manager 

Microsoft Microsoft 

www.microsoft System 

.com Center Data 

800-426-9400 Protection 
Manager 

*NetApp NetApp 

www.netapp.com SnapRestore 

408-822-6000 

800-443-4537 

NovaStor NovaBACKUP 

www.novastor 10 

.com 

805-579-6700 

Paragon Software —_ Drive Backup 

Group Server 9.0 

www.paragon- 

software.com 

888-347-5462 

Siber Systems GoodSync Pro 

www.goodsync 

.com 

703-218-1851 

877-762-6367 

Symantec Symantec 

www.symantec Backup Exec 

.com Family 


408-517-8000 
800-631-8124 


*UltraBac UltraBac 8.3 
Software 
www.ultrabac.com 


425-644-6000 


Yosemite 
Backup 8.5 
Standard 


*Yosemite 
Technologies 
www.yosemite 
tech.com 
408-737-3311 
800-228-9236 


RECOVERY SOFTWARE 


Price/Licensing 


$67 per client license; $355.40 for 
100 Processor Value Unit (PVU) 
licenses; $35.54 for 10 PVUs 


$573 


Starts at $5,000 


$49.95 for Professional Edition 
($99.95 for 3 licenses, $199.95 for 
5 licenses, $349.95 for 10 licenses, 
$899.95 for 25 licenses); contact 
vendor for Server and Business 
Essentials pricing 


Starts at $499 for 1 server and 5 
workstations 


$29.95 per license 


Starts at $995 per server for 
Symantec Backup Exec 12.0; $1,095 
per system for Symantec Backup 
Exec System Recovery 8.0 


$495 for UltraBac Server Edition; 
$1,095 for UltraBac Enterprise Edition 
(7 servers and workstations); quan- 
tity discounts available 


Master Server starts at $649 plus 
options; Single Server starts at $299 
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Server Core 
Compatibility? 


Server 2008, Server Core, Windows Yes 
Vista, Windows 2003, Windows 
XP Pro 


Server 2008, Windows Vista Yes 
Business, Windows 2003, Windows 
XP SP2 Pro 


Server 2008, Windows 2003, Win2K Yes 


Windows Vista (32/64-bit) Home/ No 
Business/Enterprise/Ultimate, 

Windows 2003 (32/64-bit) Standard/ 
Web/Enterprise, Windows XP (32/64- 

bit) Home/Professional, Win2K, 

Win2K Server Professional/Advanced 
Server, SBS 


Server OSs: Server 2008, Windows Yes 
2003, Win2K 

Client OSs: Windows Vista, Windows 

XP; 64-bit OS support 


Windows Vista, Windows 2003, Yes 
Windows XP, Windows ME, Win2K, 
Windows 98 


Server 2008, Windows 2003, Yes 
Windows 2003 x64 editions; 

Windows Storage Server 2003 

SP1; SBS 2003 SP1 and R2; XP SP2, 

XP Pro x64 Edition; Win2K Server 

SP4, Update Rollup 1 for SP4; SBS 

2000 SP4 


Server 2008, Windows 2003, Yes 
Windows XP, Win2K, Windows NT 


Server 2008, Windows Vista, Yes 
Windows 2003, Windows XP, Linux, 
NetWare 


Windows 
Server 2008/ 


Supported Applications 


Exchange Server, SQL Server, 
SharePoint, IBM DB2, IBM 
Informix, Oracle, Lotus Domino, 
SAP, mySAP 


Exchange 2007/2003; SQL Server 
2008/2005/2000 SP4; Microsoft 
Office SharePoint Server 2007; 
Windows SharePoint Services 
3.0/2.0; Microsoft SharePoint 
Portal Server 2003; Virtual Server 
2005 R2 SP1; Server 2008 Hyper-V, 
Windows Storage Server 2003, 
Windows 2003 R2; Windows 
Unified Data Storage Server 


Exchange Server, SQL Server, 
SharePoint 


Exchange 2003/2000; SQL 
Server 2005/2000/Express 


Exchange Server, SQL 
Server, SharePoint, Oracle 


N/A 


Exchange Server, SQL Server, 
SharePoint, Active Directory 


Exchange Server, SQL Server, 
SharePoint, NetWare, Oracle, UNIX 


Exchange, SQL Server, SharePoint 


Editor's Note: Some vendors that you might expect to see in this Buyer's Guide either didn’t have a product that exactly matched the criteria or didn’t respond to our requests for 
an upcoming Buyer's Guide, go to www.windowsitpro.com/buyersguide. 


*These companies have additional products that we didn’t have room for in print. See the complete product table at www.windowsitpro.com, InstantDoc ID 100032. 
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Backup Media 


Pre-Backup 
Analysis? 
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Scriptable? 


IX) eeya tare) 
Options 


Differential 
Backups? 


Virtual 
Machine 


Compatiblity? 


Disk, tape, optical, 
DVD, VTL 


Disk and tape (disk- 
to-disk, disk-to-tape, 
disk-to-disk-to-tape, 
VTL/de-dupe appli- 
ances) 


Disk (via NetApp'’s 
Snapshot) 


Tape, USB, CD-ROM, 
DVD, Blu-ray, external 
hard drive, NAS, FTP, 
Amazon S3 


Network shares, CD/ 
DVD DL and Blu-ray, 
primary or secondary 
hard disk, USB flash 
media 


Any location mapped 
as a drive letter, network 
location, FTP server, 
WebDAV server, or 
Windows Mobile device 


Disk-to-disk-to-tape 
for Backup Exec 12.0; 
disk-to-disk for 
Backup Exec System 
Recovery 8.0 


Any type of local or 
remote media (disk, 
tape, CD-RW, 
optical), TSM, FTP 


Tape, CD, DVD, disk, 
removable disk 


Yes 


Yes 


No: see 
Snapshot for 
backup info 


No 


Yes 


Yes 


No 


No 


Yes: built-in 
calendar/time- 
based sched- 
uler; supports 
scheduled 
backups and 
event-based 
scheduling 
with an exter- 
nal scheduler 


Yes 


No 


Yes: by day, by 
time 


Yes: by time/ 
date, by event, 
at system 
startup/logon 


Yes: multiple 
scheduling 
options 


Yes: by time, 
by event 


Yes 


Yes: by time 


Yes: CLI that 
supports any 
Windows script- 
ing language 


Yes 


Yes: RSH, SSH, 
ZAPI 


No 


Yes (Paragon 
Scripting 
Lanaguage) 


No 


Yes: BEMCMD 
utility provides 
switches and 
options that 
can be called 
by any scripting 
language that 
supports calling 
external pro- 
cesses 


Yes: command- 
line scripting, 
VBScript, Windows 
Script Host, 
PowerShell, Perl 


Yes: command 
line, API 


Email, desktop 
alert, export to 
website 


SQL Server 
Reporting 
Services (SSRS) 


GUI reports can 
be exported toa 
variety of com- 
mon formats 


Email, direct to 
printer, quick link 
to log history 


Email, log files 


Log (.txt) files 


Veritas Backup 
Reporter for 
Backup Exec; 
Backup Exec 
System Recovery 
Manager for 
Backup Exec 
System Recovery 
(predefined 
reports exported 
to Excel, CSV, 
HTML, XML) 


Email, text, HTML 


Email, Excel- 
compatible 


Progressive 
incremental 
backups 


Yes: uses a 
combination 
of block-level 
synchroniza- 
tions and 
log-based 
application 
backups 


No: see 
Snapshot for 
backup info 


Yes 


Incremental 
backups 


Yes 


Yes 


Yes 


Yes 


Yes: Microsoft 
Hyper-V, 
VMware ESX 
Server, Citrix 
XenServer 


Yes 


Yes 


Yes 


Yes: VMware 
ESX Server 
and Microsoft 
Virtual Server 


Yes 


Yes 


Remote Volume 

Administration? Shadow Copy 
Y= aV/ (eu AVAsis)) 
Compatibility? 

Yes Yes 

Yes Yes 

Yes Yes 

No Yes 

Yes Yes 

Yes Yes 

Yes (through Yes 

remote agents) 

Yes Yes 

Yes Yes 
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My stay at the Lime Tree Hotel was wonderfu 
spa and enjoyed the delicious food, | can't wait t 
i) Sur . » 
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luxuriows and the room service catered to you 


Good hotel for families ar 
n 


is cacetlent for relaxing 
have too far to go f 


The internet provides small to medium-sized 
businesses great opportunities to grow by opening 
their offers to millions of web users. It's especially 
important to build trust and a good company image 
in order to succeed on the web. 


Is there a way to quickly build a positive online reputation? 
Simply give your satisfied customers the ability to publish feed- 
back on your website! RatePoint is a leading provider of online 
reputation systems and will ensure customers that your reviews 
are credible and trustworthy. 


The RatePoint Site Seal gives instant visual 
CONSUMER we feedback to visitors, allowing them to see that 


APPROVED 


: your business is credible, safe and trustworthy. 
eS | With one click, visitors can easily read reviews 
Bates Reulewiy and write comments. 


In the event that you do receive negative feedback, RatePoint 
automatically uses the Dispute Resolution Tool to verify the review. 
It offers you the opportunity to resolve the issue before the review 
is viewable on your site and gives you the chance to improve your 
customer service and retain more customers. 


1&1 is including RatePoint for free with all business 
hosting packages! So, what are you waiting for? 


World's #1 Web Host 


With a wide variety of products and hosting packages, superior data center technology, excellent reliability, special 


offers, great prices and a 90-Day Money Back Guarantee, it’s no wonder customers trust 1&1 as their web host company! 


1&1 Business Website! 


1&1 
ps 


3 Domains FREE $1.99/year $7.95/year 


Go Daddy 


PREMIUM STANDARD 


Hostway 


Included Domain Names 
(com, .net, .org, .info or .biz) 


Web Space 250 GB 300 GB 150 GB 
Monthly Transfer Volume 2,500 GB 3,000 GB Unlimited 
Mailbox Size 2,000 MB 1,000 MB 75 MB 


18 Pages 


[7 RatePoint” 


Reputation is Everything 


Website Builder 
Marketing Center 


Additional $8.99/month 


Spreadshirt Merchandising 
eZShop 
Graphic Archive 


E-mail Marketing Tool 


Premium Software Suite 


Search Engine Submission 


90-Day Money Back 
Guarantee 


Extra Charge Applies 


24/7 Phone, 24/7 Toll-free Phone, 
E-mail E-mail 


Price Per Month yw $2 7 95 


Support 


© 2008 1&1 Internet, Inc. All rights reserved. 
Visit 1and1.com for details. Prices based on comparable Linux web hosting package prices, effective 8/26/2008. 
* Offer valid only for 1&1 Business and Developer web hosting packages, Professional and Advanced eShops, 
. and all Managed Servers. For full promotional offer details, visit www.land1.com. Product and program 
gpecifcg ions, availability, and pricing subject to change without notice. 
bkel id for -biz only. After first year, standard pricing applies. 
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What's Hot: 
Reader Review 


Microsoft Exchange is the dominant 
enterprise email and messaging platform, 
but IT professionals such as consultant 
Chad Mauthe sometimes find the cost 

and complexity of deploying and main- 
taining an Exchange environment to be 
overkill for small environments. While 
developing a hosted messaging service for 
his clients, Mauthe reviewed several other 
alternatives and decided to use SmarterTools’ 
SmarterMail 5.x mail server. 

“I've been using the SmarterMail mail 
server for more than a year, and it does 
just what | need; says Mauthe. “I mainly 
picked it over Exchange due to its minimal 
cost, straightforward licensing, ease of 
management, and an equivalent feature 
set.’ In addition to security features such as 
antispam, antivirus, and intrusion detection 
and prevention, SmarterMail provides email 
archiving. 

For Mauthe, installation was painless, 
and the technical support on the Smarter- 


Chad Mauthe. Owner/President, 
nCompass Technology 


SmarterMail 5.x 
SmarterTools 


www.smartertools.com 
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“I've been using th 
SmarterMail mail 
server for more than 
a year, and it does 
just what | need.’ 


= = 


Tools website got him up and running 
without having to call someone. He men- 
tions that SmarterMail can synchronize 
with Outlook and mobile devices (includ- 
ing BlackBerry), but it doesn’t always work 
smoothly. “I don’t think I've perfected [how 
to use] the mobile synchronization fea- 
tures yet, so it could be me.’ 

In Mauthe’s opinion, SmarterMail 
would be a robust solution for many 
companies with small messaging needs; a 
recent deployment involving four domains 
and approximately 30 users went off with- 
out a hitch. “You get a lot of features that 
Exchange offers for a lot less money,’ says 
Mauthe. “I ended up spending just a few 
hundred dollars rather than a few thou- 
sand, or more.” 


—Jeff James 
InstantDoc ID 100058 
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WHAT’S NOT 


Jerry Seinfeld + 

Windows Vista 

Before press time we heard that 
Microsoft enlisted the comedic 
talents of Jerry Seinfeld in a new 
EVe-laakslaremerslan)ey-1(e]aM=y,4re)|I Tare) 

(or is that re-extolling?) the 

virtues of Windows Vista. Jerry 

is a funny man, but is a comic 
from the 1990s—whose character 
only used a Mac—really the best 
choice to help Microsoft salvage 
the damaged reputation of Vista? 
One Windows IT Pro editor sug- 
gested the late (and great) Rodney 
1DY-Yave{=1ai(Vo Multa alam ke (elem ate(-am ale) 
respect!” act would have been more 
appropriate. 


Bloated Antivirus Software 
Protecting your computer from mal- 
ware and viruses is an important 
task, but resource-hogging antivirus 
software seems like a poor solution 
Ivor AV->.<1ave pl o)ce)e)(= 100m BL=V{=1(0) o\=19 
Sunbelt Software hopes to have an 
answer with VIPRE, a new antivirus 
security solution that promises pro- 
iv-reld (oye MUVivaCelelmuat=mo) (oy-1am (Mote) arele 
a review of VIPRE in an upcoming 
issue of Windows IT Pro.) 


Security Breaches 

A recent story by the Hartford 
Courant indicates that personal 
Ta\codanarelucoyane) Manley comaat-]aiM D2 

Tayi itreyaM eX=xe)) (=m eo)al rllal=ve Koya) 
storage tapes lost in May 2008 by 
the Bank of New York Mellon. Some 
people have always been reluctant 
to release their personal informa- 
tion to banks and other institu- 
tions, and this latest news will only 
[nate] <om eX=xe) 0) (=m ante) (=m (=) |U(eie-1a] mxe nolo) 
so. Perhaps some stiff new laws, 
regulations, and—perhaps most 
importantly—fines and penalties 
Elcom lame) cola celmeoyan) oy-alscmtarela 
lar-lave|(=maat=iimelulsixean\-yallalceanar-leceyay 
so poorly? 


Providing desktop support can be a headache with the large number of systems, servers and mo- 
bile devices located on today’s corporate network. With NetSupport Manager remote control soft- 
ware, you can provide seamless IT support centrally from one location, improving response times 
and reducing associated IT costs. 


Support, monitor and train your users securely over a LAN, WAN and the Internet. Manage and 
monitor multiple systems simultaneously with NSM's multi-platform support. Troubleshoot help 
requests efficiently with NSM’s inventory and desktop management tools. 


Able to co-exist with Remote Desktop (RDP), NetSupport Manager v10.3 supports a range of OS 
platforms and provides an option that lets any smart card login performed on a control PC to be 
redirected and applied on a client PC. 


Take control of your network before it controls you. 


_ @ ES # AB soins 


_ c J 2 770-205-4456 
| at www.netsupportmanager.com 
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The Strangeloop WS1000 

Web Services Accelerator takes care of 

performance problems caused by the strain that a 

dynamic Web environment places on enterprise applications. 

Just plug it in. No changes needed to your network or the application. 


OD strangeloop” 


NETWORKS 


www.strangeloopnetworks.com 
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For more information: 
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Citrix Discusses “Project Kensho” 


Now that Microsoft has finally shipped Hyper-y, it has officially 
joined the battle over which hypervisor-based virtualization solu- 
tion will emerge victorious. Will Microsoft's Hyper-V be the eventual 
victor? Will VMware manage to hold on to its commanding lead in 
market share and technology? Or will Citrix and its XenServer prod- 
uct cross the finish line first? 

In the view of Simon Crosby, CTO of the Virtualization and Man- 
agement Division at Citrix Systems, the battle over hypervisors has 
already been decided. According to Crosby, the hypervisor is well on 
its way to becoming a commodity, thanks in part to the introduction 
of XenServer and Hyper-V into the marketplace. “As the hypervi- 
sor gets commoditized, management of the virtual infrastructure 
[becomes the focus],” says Crosby. “Creating standards for interop- 
erability between virtual machine formats is an important step 
towards that. Project Kensho highlights the Citrix commitment to 
interoperability for virtualization.” 

So what is Project Kensho? According to Crosby, Kensho—which 
derives its name from the Buddhist spiritual concept of working 
towards true enlightenment—will provide a new collection of 
tools to allow IT administrators to easily import and export their 
virtualized workloads using the new industry-standard Open Virtual 


solution created the workloads. OVF will allow Microsoft System 
Center Virtual Machine Manager 2008 (VMM) to manage virtual 
machines (VMs) created by XenServer, ESX Server, or Hyper-V. 

Crosby elaborates on Project Kensho in his blog, explaining that 
the creation of the OVF standard has helped enable a promising 
new phase in the evolution of virtualization in the enterprise. “OVF 
also supports software license checking for the enclosed VMs, and 
allows an installed VM to localize the applications it contains and 
optimize its performance for a given virtualization environment,’ he 
writes. “At the DMTF interoperability event, we used Project Kensho 
to create VMs from VMware, Hyper-V, and XenServer in the OVF for- 
mat....Kensho will allow application vendors and IT users to produce 
virtual appliances once as ‘golden application templates, indepen- 
dent of the virtualization platform used to deploy them, and is a 
clear demonstration of how Citrix will add value to Hyper-V.’ 

That last sentence is key, as it reinforces the Citrix strategy of 
partnering with Microsoft against VMware. Whereas VMware seeks 
to battle Microsoft over every inch of the virtualization market, 
Citrix seems content to serve in a role supportive of Microsoft's 
virtualization ambitions. Given the closeness between the two 
companies, rumors of a merger between Citrix and Microsoft have 


“Kensho will allow application vendors and IT users to produce 
virtual appliances once as ‘golden application templates; inde- 
pendent of the virtualization platform used to deploy them, and 
is a clear demonstration of how Citrix will add value to Hyper-V’ 


Machine Format (OVF), which was ratified by the Distributed Man- been discussed and debated by analysts and pundits, but Micro- 


agement Task Force (DMTF) in September 2007. Rather than having 
to suffer the slings and arrows of incompatible application virtualiza- 
tion formats (think Betamax vs. VHS or Blu-ray vs HD-DVD), OVF will 


soft might have little to gain from acquiring the company. A tech- 
nical preview of the Project Kensho tools can be downloaded from 


www.citrix.com. 


—Jeff James 
InstantDoc ID 99827 


let vendors develop management tools for managing virtualized 
application workloads, regardless of which vendor's virtualization 


ARE YOU PCI COMPLIANT? 


NOT WITHOUT A WEB APPLICATION FIREWALL 


A cost effective IIS WAF that stops SQL injection, XSS 
and other Web attacks right out of the “box” 


Dlosiernsall 


serverdefender 
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Free trial downloads at: 
serverdefender.com/pci 
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Unbreakable AD 


Prevent unauthorized changes in AD 

¢ Granular role-based delegated administration 
¢ Provisioning automation based on IT policies 
¢ Award-winning web-based interface 


Misconfiguration of AD is Ensim Unify for: 
the largest source of é: Retiva Di 
unplanned downtime. ctive Irectory 


fe . Changes inexpertly made ¢ Password Management 
In OWS Pr to AD can wreak havoc . 
( IT 0 with your organization, Aten & Client 
cause significant downtime, ° MODIIITY APps lents 


and impair future operations. 


IT policy makers can 


insulate AD from potentially = 

disastrous changes by ® 
automating AD management | en S | mm 
through its award-winning 

web-based interface. 


BRON/F get.ensim.com | +1 (408) 496-3700 | sales@ensim.com 


Your business may be small, but isn’t 
it essential to you and your customers? 


Now there is no reason to go without a 


disaster recovery strategy to protect your 
IT assets and data. With virtualization 
and Vizioncore, you can have everything 
you need to puta SIMPLE, 
RELIABLE and AFFORDABLE | ni atid 
disaster recovery plan in place. Let the i} | fl iF 
experts at Vizioncore explain how any 
size business can leverage this 
exciting new technology to implement 


a solution that is right for you. 
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There’s no better way to keep your finger on the pulse 
of the IT world than through ITTV. Visit www.ittv.net today! 
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Get Full Access That Fits Your Schedule 


For only $5.95 per month, your Windows IT Pro Monthly Pass includes: 


[>Anytime access to the solutions in over 10,000 Windows IT Pro online articles 
[>Updates and news alerts on the latest industry developments 

[>Membership to the world’s largest independent IT community 

[>Fast answers from gurus and your peers through interactive blogs and forums 
[>PLUS the latest digital issue of Windows IT Pro magazine! 


Sign up today to start getting the answers you need when you need them. 


www.windowsitpro.com/go/MonthlyPass 
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Barriers to Green 
Computing 


Going green is just like exercise—knowing you should do it and 
actually doing it are two different things. Price is typically cited as 
the biggest barrier to IT going green, according to a recent survey of 
more than 3,500 IT decision makers in 11 countries. The respondents 
were asked to select the top two barriers to purchasing green hard- 
ware for their organizations. The top five reasons selected were: 

+ Price 

+ Disagreement internally/politically 

« Efficiency will not offset costs 

+ Brands not convincing us of ROI 

+ Brands not promoting importance of green products 


Nevertheless, more than 70 percent of the survey participants said 
that they would probably or definitely be influenced toward green 
products if they were convinced that those products would have a 
positive effect on both the environment and their business. 

The 2008 survey was conducted by GreenFactor—a joint initia- 
tive between Strategic Oxygen, GCI Group, and Cohn & Wolfe— 
and offers insight into green marketing opportunities and further 
green-related research globally. The study looked at more than 20 


Are Your IIS Servers Under Attack? 


Block all unwanted IIS 
traffic with ThreatSentry 


F U privacyware’ 

a 

¢ threatsentry 
J NS Web Application Firewall & tS 


download free trial 


-* IIS web application firewall & IPS 
* stops known, new and internal threats 
* blocks sql injection, xss, dos and more 
* reinforces regulatory compliance 


sales@privacyware.com + www.privacywore.com » 732.212.8110 x235 
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IT brands to determine IT decision makers’ perceptions of green 

IT products and the marketing of those products. The decision 
makers, consisting of ClOs and other C-level executives, IT manag- 
ers, and line of business managers, were asked which brands they 
most associate with green technology. The results indicate that no 
IT brand is the green leader and that there isn’t a statistically sig- 
nificant difference between the top seven brands—Apple, Dell, HP, 
IBM, Intel, Microsoft, and Sony. 

The respondents were also asked if their organizations would 
consider purchasing green versions of laptops, desktops, servers, 
storage, and network hardware in the next 12 months. More than 
70 percent said they would probably or definitely look for green 
laptops and desktops, and more than 60 percent said they would 
probably or definitely look for green servers, storage devices, and 
network hardware. For the purposes of the study, green products 
are defined as those that use power efficiently, come in recyclable 
or reusable packaging, can be recycled through the manufacturer 
when they become outdated, use nontoxic materials, or are manu- 
factured by companies that invest in future green concepts (e.g., 
alternative materials). 

For more results and information about the GreenFactor study, 
go to www.greenfactorstudy.com. 


—Karen Bemowski 
InstantDoc ID 99805 
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Windows IT Pro Network 


Search our network of sites dedicated to hands-on 
technical information for IT professionals. 


www.windowsitpro.com 
Support 


Join our discussion forums. Post your questions 
and get advice from authors, vendors, and other IT 
professionals. 


www.windowsitpro.com/forums 
News 


Check out the current news and information about 
Microsoft Windows technologies. 
www.wininformant.com 
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by Jason Bovberg 


Upgrade to Management 


“Hey, too much is never enough for Windows 
Vista ..." 


“The users are demanding more bandwidth 
'@) R J for YouTube videos and IMing with friends.’ 
@ “We're trying to hack into the financial records 


of our largest competitor, and this should help 
us download those credit card numbers faster.” 


@ “It will let me search job-posting sites more 
quickly’ 


R q “An upgrade will reduce network latency so | can 
finally pwn those noobs in Accounting in Halo.” 


“Now that we've outsourced IT to Malaysia, we 
can easily afford it.’ 


im «other wre) he eee He 


“The EPA has traced the root cause of the Polar 
ice melt to our server room.’ 


ervisor about 1-2 hours ago 


my @mail turned back on 
rtunity to do that yet? 


movie ever made, and this upgrade will help 


eth 


20 R 5 me view them during my lunch break without 
id m2 » 


. G ” 
a InvalidCastException was oni bringing the network to a crawl 


\ “All the big companies have fancy networks, 


4t least one element in the source array could not be cast down to the destination R 
* . 
7 and we never get anything good!” 


array type. 


Troubleshooting ti z " 
“That guy driving around the office in an 


unmarked panel van (with the tinted windows) 
told me our wireless network signal is too weak.’ 


“ 


ak 


® “I've collected MPEG files of every Jessica Alba 


Get general help For this exception, 


ch for more Help Online... 
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Wi confine me to such 


Microsoft TechNet Searct Neeee ug (a | 


Grass Bing Comma Got oa! samt 


Thanks for the (very specific) warning! 
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Web Application Performance 


Across 
3. A significant occurrence 
4. A basic conceptual structure used to solve or 
address complex issues 
8. Monitored to identify actual or potential 
bottlenecks 
. Application monitoring should be done 24x7 
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a performance problem 
blame when problems occur 


t 
| 
| 


| 


I 


wily 


technology 


‘ a 
Down _ 
1. Increased has a negative effect on . Monitored to evaluate network connectivity and 
the user experience application performance 


2. A person, group, organization, or system that affects or 11. CA Wily Technology’s solution for monitoring Web 


can be affected by an organization’s actions application performance 

5. Creates new management challenges 12. Notification of possible performance problems ae 

6. To move from summary information to detailed data by 14. Allows IT to more effectively manage Web applications 
focusing in on something 16. The process of gaining knowledge or some desired result 
by intelligent guesswork 

19. The success of Web-based applications must be measured 
from whose perspective? 


7. One role of customer experience monitoring 

8. Companies are relying more and more on these types 
of applications 

9. Transactions that serve no business value other than to 


exercise the system programming and infrastructure Find the answers at www.windowsitpro.com/go/puzzle 
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Clear the clutter 
with the FREE File Insight 
utility download at 
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FEEL LIKE YOU’RE STORING EVERYTHING AND MANAGING NOTHING? 
BROCADE FILE SOLUTIONS FOR WINDOWS FILE ADMINISTRATORS CAN HELP. 


With Brocade File Solutions for Windows File Administrators, you can automatically migrate files 

to the optimum types of media based on your rules. Stop spending late nights and weekends 

manually migrating file data and start providing your users with access to the data they need. 

Clear the clutter with the FREE File Insight utility download at BROCADE 
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